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Introduction 


he SC-900 exam is targeted to those looking to familiarize themselves with the fundamen- 
i of security, compliance, and identity (SCI) across cloud-based and related Microsoft 
services. This exam is targeted for a broad audience that includes business stakeholders, new 
or existing IT professionals, or students who have an interest in Microsoft security, compli- 
ance, and identity solutions. This exam covers topics such Microsoft Azure and Microsoft 365 
and requires you to understand how Microsoft security, compliance, and identity solutions 
can span across these areas to provide a holistic and end-to-end solution. This book covers 
every major topic area found on the exam, but it does not cover every exam question. Only 
the Microsoft exam team has access to the exam questions, and Microsoft regularly adds new 
questions to the exam, making it impossible to cover specific questions. You should consider 
this book a supplement to your relevant real-world experience and other study materials. If 
you encounter a topic in this book that you do not feel completely comfortable with, use the 
“Need more review?” links you'll find in the text to find more information. Be sure to research 
and study these topics. Great information is available on docs.microsoft.com, MS Learn, and in 
blogs and forums. 


Organization of this book 


This book is organized by the “Skills Measured” list published for the exam. The “Skills mea- 
sured" list is available for each exam on the Microsoft Learning website: http://aka.ms/examilist. 
Each chapter in this book corresponds to a major topic area in the list, and the technical tasks in 
each topic area determine that chapter's organization. If an exam covers six major topic areas, 
for example, the book will contain six chapters. 


Preparing for the exam 


Microsoft certification exams are a great way to build your resume and let the world know 
about your level of expertise. Certification exams validate your on-the-job experience and 
product knowledge. Although there is no substitute for on-the-job experience, preparation 
through study and hands-on practice can help you prepare for the exam. This book is not 
designed to teach you new skills. 


We recommend that you augment your exam preparation plan by using a combination of 
available study materials and courses. For example, you might use the Exam Ref and another 
study guide for your “at-home” preparation and take a Microsoft Official Curriculum course 
for the classroom experience. Choose the combination that you think works best for you. 
Learn more about available classroom training and find free online courses and live events 
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at http://microsoft.com/learn. Microsoft official practice tests are available for many exams at 
http://aka.ms/practicetests. 


Note that this Exam Ref is based on publicly available information about the exam and the 
authors’ experience. To safeguard the integrity of the exam, authors do not have access to the 
live exam. 


Microsoft certification 


Microsoft certifications distinguish you by proving your command of a broad set of skills and 
experience with current Microsoft products and technologies. The exams and corresponding 
certifications are developed to validate your mastery of critical competencies as you design 
and develop or implement and support solutions with Microsoft products and technologies— 
both on-premises and in the cloud. Certification brings a variety of benefits to the individual 
and to employers and organizations. 


MOREINFO ALL MICROSOFT CERTIFICATIONS 


For information about Microsoft certifications, including a full list of available certifications, 
go to http://www.microsoft.com/learn. 


Check back often to see what is new! 


Errata, updates & book support 


We've made every effort to ensure the accuracy of this book and its companion content. You 
can access updates to this book—in the form of a list of submitted errata and their related 
corrections—at: 


MicrosoftPressStore.com/ExamRefSC900/errata 


If you discover an error that is not already listed, please submit it to us at the same page. 
For additional book support and information, please visit MicrosoftPressStore.com/Support. 


Please note that product support for Microsoft software and hardware is not offered 
through the previous addresses. For help with Microsoft software or hardware, go to 
http://support.microsoft.com. 


xvi 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Stay in touch 


Let's keep the conversation going! We're on Twitter: http://twitter.com/MicrosoftPress. 


xvii 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Describe the concepts of 
security, compliance, and 
identity 


Building a foundational knowledge of key principles applicable to security, compliance, and 
identification is imperative to any professional who needs to work with Microsoft solutions 
targeting each of those domains. Some principles will apply to all three domains, and some 
will be more specific to one or more individual domains. Zero-trust is a great example of a 
methodology that should extend throughout the entire digital estate of your enterprise and 
serve as an integrated security philosophy and end-to-end strategy. 


Skills covered in this chapter: 
m Security technologies 
m Security concepts 


m Microsoft security and compliance principles 


Skill 1-1: Security and compliance concepts 
and methodologies 


Security methodologies are important for helping organizations adapt to the complexity of 
modern environments while embracing a mobile workforce and protecting people, devices, 
data, and applications. It's also imperative to revisit some long-standing security method- 
ologies that were established long ago. Cloud computing has fundamentally changed the 
landscape, so our security methodologies also need to change. 


This section of the chapter covers the skills necessary to define the security methodologies 
according to the SC-900 exam outline. 


Zero-trust methodology 


These days, with users working on different devices from any location and accessing apps 
across different cloud services, it is critical to keep users’ identities secure. The old security 
assumption that everything on the corporate network behind the firewall is considered to be 
trusted is no longer correct. With cloud adoption, identity becomes the new perimeter, the 
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preferred control plane for your entire infrastructure, regardless of the location—on-premises 


or in the cloud. You use the user's identity to control access to any services from any device and 
obtain visibility and insights into how your data is being used. 


Zero Trust describes an approach to security and a mindset that shifts security defenses 
from static, network-based perimeters to dynamic protections focused on users, assets, and 
resources. Also, as the name implies, you start from not trusting anything and always verifying 
trustworthiness explicitly. The guiding principles of the zero-trust methodology are as follows: 


= Always verify Make sure that you always authenticate and authorize access based on 


all available elements, which can include a user's identity, location, device health, data 
classification, service, or workload. 


Use least privilege access Whenever possible, use just-in-time (JIT) and just-enough- 
access (JEA) to ensure better data protection. 


= Assume breach Ifyou always assume that an attacker has gained some access to the 


environment, you can create better security controls for each system component. This 
principle enables you to both prevent incidents and rapidly respond to them. 


EXAM TIP Make sure you remember those guiding principles because there is a high 
probability that you will be questioned about them on the SC-900 exam. 


Microsoft suggests the implementation of zero-trust controls and technologies across six 
foundational elements, which are represented in Figure 1-1. 


Identity 4 
Zero-trust 
. security 


Automation 


FIGURE 1-1 Zero-trust across the enterprise 
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Each one of those elements will have general design considerations that should be 
addressed, as well as unique requirements from the organization's perspective. At the same 
time, each element has its core security best practices that should be applied. The following list 
provides more details about these elements: 


Identity When an identity attempts to access a resource, it is important to ensure the 
risk is low that an attacker is controlling the account. The identity risk level of a session 
can vary by the strength of the authentication and how similar the attributes and signals 
are to the normal expected behavior of the account. 


Endpoint Make sure you monitor and enforce device health and compliance before 
granting resource access to users on that device. 


Data Data is the primary storage value that must be protected, which means the secu- 
rity system must understand its value (using classification labels) and apply the proper 
security policies, which apply the proper level of security where they go. 


Apps Apps allow people and systems to access data, and they generate business value 
that must be protected. You need to apply controls and technologies to discover all 
your apps (including shadow IT); set the right access policies; ensure that the appropri- 
ate controls and configurations are applied to the apps (including the access model); 
allow or deny access based on real-time data and analytics; monitor for any abnormal 
behavior; and make sure that you rapidly respond to attacks on the apps to limit the 
time that attackers have access to them. 


Infrastructure Regardless of your infrastructure location (on-premises, in the cloud, 
or hybrid), make sure that you have good security hygiene (security patches, secure 
configurations, and so on) and that you detect attacks and anomalies using all available 
telemetry. Automatically block and flag risky behavior and take protective actions. 


Network The network provides connectivity and access control, so it should be 
closely aligned to an overall enterprise access-control strategy that also includes iden- 
tity controls. Providing private networks for existing applications that protect against 
unsolicited internet traffic network (such as network segmentation) is still a good prac- 
tice. However, you can also apply more granular micro-segmentation to further protect 
workloads from attacks on the private network. Migrating workloads to the cloud is 
the ideal moment to improve your real-time threat protection, end-to-end encryption, 
monitoring, and analytics across all networks. 


Microsoft's vision of zero-trust also includes full visibility across all those elements in an 
integrated interface. With each of these individual areas generating their own relevant alerts, 


we need an integrated capability to manage the resulting influx of data to better defend 
against threats and validate trust in a transaction. It is also important to wrap up the integra- 
tion of those elements with automation and orchestration to facilitate both the implementa- 
tion and the response time for incidents. 


To make sure that you have all that in place, you need governance, which will give you 
more visibility and policy management. Zero-trust allows you to automate the enforcement of 
security policies, which ensures compliant access decisions and configurations throughout the 
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entire enterprise. The access policies should be used to consistently decide whether to allow 
access, deny access, or dynamically manage risk in real-time by asking for additional authen- 
tication challenges (such as multifactor authentication) or applying access restrictions to the 
session. Figure 1-2 shows an example of how this high-level architecture looks. 
Governance 
Visibility and policy 


Access control Asset protection 
Identity and network Classification, protection, tokenization 


101010 
oioiot Data 
101010 


Threat 
intelligence 


FIGURE 1-2 Zero-trust implementation 


Microsoft Sentinel 


Notice in Figure 1-2 that security policy enables users and devices to have a seamless and 
secure experience when accessing data directly or accessing it from an application. It is also 
important to call out the visibility of security operations with the use of Microsoft Sentinel as 
a Security Information and Event Management (SIEM) system to consolidate all events and 
alerts that were triggered across different services. The use of a modern SIEM platform such 
as Microsoft Sentinel is imperative for zero-trust because the SIEM relies heavily on signal and 
solution integration to be successful. 


It is also very important to understand that not every organization has the same maturity 
level to implement zero-trust across all segments and use the latest and greatest technologies. 
When you evaluate a scenario, you need to consider the organization's maturity level when 
planning which steps to take first. Let's use the following companies as an example: 


= Contoso’s current scenario: 
m= On-premises identity with a partial level of single-sign-on (SSO). 
m IT has limited visibility across the different workloads and the device's health status. 
m Flat network infrastructure. 
m Fabrikam’s current scenario: 
m Hybrid identity (integrated cloud and on-premises identities). 
m Policies in place to grant access to data, apps, and network. 
m Segmented networks. 


m Fabrikam has started to utilize analytics to understand users’ behavior better and to 
identify threats. 


Describe the concepts of security, compliance, and identity 
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These two organizations are in different stages of their journeys. Contoso has basic, tradi- 
tional capabilities that are heavily dependent on on-premises resources. Fabrikam has more 
advanced maturity and has already started using a modern hybrid identity and analytics. 


When planning the implementation of zero-trust for both organizations, you will see that 
you need to start with what they have and move forward with that. A reasonable goal is to 
move Contoso to be more like Fabrikam. Fabrikam’s goal should be set to a more optimal 
maturity model, such as implementing passwordless authentication and determining risk with 
real-time behavior analyses. 


MOREINFO IMPLEMENTATION DETAILS BY SEGMENT 


The SC-900 exam doesn't go into implementation details for each of those segments, but you 
can use the following resources to learn more about them: 


m Identity http://aka.ms/ZTldentity 

m Endpoints http://aka.ms/ZTEndpoints 

m Applications http://aka.ms/ZTApplications 

m Data http://aka.ms/ZTData 

m Infrastructure /ttp://aka.ms/ZTinfrastructure 


m Networks http://aka.ms/ZTNetwork 


Shared responsibility model 


In a traditional datacenter, the IT organization is responsible for the entire infrastructure 
(except for the networks connecting different physical sites). This is how on-premises comput- 
ing has worked from the beginning of modern client/server computing (and even before that 
in the mainframe era). If there was something wrong with the network, storage, or compute 
infrastructure, the IT organization was responsible for finding out what the problem was and 
fixing it. 

The same went for the security organization. The security organization worked with the IT 
organization to ensure that all components of the IT infrastructure were secure. The corporate 
security organization set requirements, rationalized those requirements with the corporate IT 
organization, and then defined controls that could be implemented by the IT infrastructure 
and operations staff. The security organization would also define compliance requirements 
and be responsible for auditing the infrastructure to make sure that those requirements were 
met on an ongoing basis. 


All this is still true for the on-premises datacenters in your estate. However, with the intro- 
duction of public cloud computing, the IT and security organizations had a new partner—the 
cloud service provider (CSP). The CSP has its own IT infrastructure and is responsible for the 
security requirements and controls implemented on their underlying infrastructures. 
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This shifts IT to a shared responsibility model for workloads hosted by the CSPs. Which 
responsibilities are shared varies depending on the exact workload and service, but it roughly 
aligns to the cloud service model: Infrastructure-as-a-Service (laaS), Platform-as-a-Service 
(PaaS), and Software-as-a-Service (SaaS). Figure 1-3 shows an example of how these respon- 
sibilities will vary for each service, including on-premises, where the customer has full control 
over all resources. 


On- 
Responsibility SaaS PaaS laaS premises 


Information and data 


Devices (mobile and PCs) 


Accounts and identities 
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Identity and directory infrastructure 
Applications 

Network controls 

Operating system 

Physical hosts 

Physical network 


Physical datacenter 


Microsoft i Customer 


FIGURE 1-3 Shared responsibility model 


As you can see in Figure 1-3, the left column shows ten core responsibilities that organiza- 
tions should consider. These responsibilities contribute to achieving a compliant and secure 
computing environment state. When using cloud computing, physical security is the one 
responsibility that is wholly owned by cloud service providers (CSP). Physical security is only the 
full responsibility of the customer in an on-premises deployment. 


The remaining responsibilities are shared between customers and cloud service providers. 
Some responsibilities require the CSP and customer to manage and administer the responsibil- 
ity together. It is important to mention that regardless of the type of deployment, the follow- 
ing responsibilities are always retained by the customer: data, endpoints, account, and access 
management. 


Understanding the division of responsibility based on the cloud service delivery model 
is more than just an academic exercise. When you adopt public cloud services, you'll need 
to know how to map what you're responsible for and what your cloud service provider is 
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responsible for. You'll then define your requirements and adjust your processes, goals, and 
technical designs based on this understanding. 


Defense-in-depth 


The principle of defense-in-depth is not new. In fact, it has evolved over the years, though add- 
ing multiple layers of protection is the fundamental concept. Doing so makes it hard for the 
attacker to access the desired data. 


This layered approach increases an attacker's risk of detection while reducing an attacker's 
chance of success. By using this approach, you are also enhancing your CIA (confidential- 
ity, integrity, and availability, which are known as the CIA pillars). When you add more layers 
of protection, you decrease the likelihood that a threat actor will compromise confidential 
information or alter information that could harm the integrity of the data. Doing so increases 
the availability level because the threat actor needs to take down multiple layers of protection 
before they can compromise the overall availability. As you design defense-in-depth layers, it’s 
important to focus on making it harder for attackers (increasing their cost) while ensuring that 
legitimate users and processes can function well. 


Table 1-1 shows a summary of the rationale behind each CIA pillar and provides some 
examples of security controls that you can leverage in Azure to enforce those pillars. 


TABLE 1-1 CIA pillars 


Design principle Rationale Security control 
Confidentiality Ensure that customer's data is accessible Identity Management 
only by authorized users/objects Isolation 
Encryption 
Integrity Protect customer's data (compute and Identity Management 
storage) against unauthorized changes Isolation 
Encryption 


Key Management 


Availability Provide numerous levels of redundancy to Storage replication 
maximize the availability of customer data Geo-redundant storage 
Disaster recovery process 
Availability sets 

Load balancer 


Note also that safety is a critical assurance in operational technology environments where 
computers control physical machines and processes (such as industrial control systems [ICS] 
and supervisory control and data acquisition [SCADA] technologies). 

Defense-in-depth was a common philosophy when there was a distinct separation of 
trusted and untrusted networks that were separated by a firewall. Adding multiple layers of 
protection between the Internet and the internal (trusted) network was commonly discussed 
and planned (though not always applied consistently in practice). Later, it expanded to also 
include multiple layers of different types of protection per component, as shown in Figure 1-4. 
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FIGURE 1-4 Traditional defense-in-depth 


The same foundational model applies today, but it uses different security controls and is 
easier to apply in a software-defined cloud datacenter like Azure. For example, Azure can pro- 
vide scale and expertise to protect against large and sophisticated DDoS attacks. However, fol- 
lowing the shared responsibility model that we have in cloud computing, customers must also 
design their applications to be ready for a massive amount of traffic. Some key capabilities for 
applications include high availability, scale-out, resiliency, fault tolerance, and attack surface 
area reduction. Azure DDoS protection is part of the defense-in-depth for Azure Networks 
approach, as shown in Figure 1-5. 
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FIGURE 1-5 Azure network defense-in-depth approach 


When you think about defense-in-depth in an Azure network, you must think about all the 
security controls that can be around the service that you are trying to protect. Also, you need 
to consider all the other security controls that will be in place between the attacker and the 
resource that you are trying to protect. 
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MOREINFO DEFENSE-IN-DEPTH WITH AZURE 


To learn more about the Azure technologies are used to provide defense-in- 
depth, see this overview video: https://azure.microsoft.com/cs-cz/resources/videos/ 
defense-in-depth-security-in-azure/. 


Common threats 


Current threats range from old (but effective) techniques to the newest innovations from 
state-sponsored attacks and criminal groups and everything in between. The threats tend to 
focus on what works (such as phishing emails) and follow the trends of the world (targeting 
common mistakes in cloud adoption and using cloud resources to attack on-premises assets 
and vice-versa). 


Malware is a term used to describe malicious applications and code that can cause damage 
and disrupt the normal use of devices. There are many types of malware, and the functionality 
of that malware depends on its purpose. In general, malware can allow unauthorized access, use 
system resources, steal passwords, lock you out of your computer, demand ransom, and more. 


According to the Microsoft Digital Defense Report 2020, cyberattackers closely followed 
the development of the pandemic to give them a better chance of success by leveraging 
COVID-19 as the main theme for the attacks. Based on Microsoft telemetry, malware increased 
from about 50,000 encounters on March 11, 2020 to about 70,000 encounters when the United 
States announced the travel ban to Europe on March 14, 2020. The data also showed that 
cybercriminals reduced their dwell time within the victims’ systems by taking advantage of the 
victims’ lack of security hygiene. The hypothesis was that there would be an increase in user 
willingness to pay (in the case of ransomware) because of the pandemic. 


Although some of these attacks might be using modern techniques, most of them are still 
leveraging old techniques such as phishing email. Phishing attacks attempt to steal sensitive 
information through emails, websites, text messages, or other forms of electronic communica- 
tion. Although phishing attacks are old, they are still being used because they deal with human 
behavior, which stays fairly constant. Social engineering attacks are designed to take advan- 
tage of a user's mistake when reading an email and deciding whether the email is legitimate. 

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are still in use 
today. These types of attacks affect the availability (one of the CIA pillars) by limiting the func- 
tion of a network application or exhausting a computing resource until it becomes unavailable. 
From the network perspective, the following threats are still in use in one way or another: 

= Portscanning attacks This type of attack is usually used during the reconnaissance 
(also called recon) phase, where the attacker is trying to learn more about the ports 
available for exploitation. 

m Eavesdropping attacks This is a passive type of attack, where the attacker captures 
packets in transit. 
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= Man-in-the-middle attacks (MITMs) Usually utilized by attackers to impersonate a 
legitimate host on the network and take over the communication. 


It is also important to mention that attacks might use multiple techniques. On March 13, 
2020, the Brno University Hospital in the city of Brno, Czech Republic was hit by a ransom- 
ware attack in the middle of the pandemic. The hospital was forced to shut down the entire 
network. As a result, doctors were unable to access patient data, some data was lost, and 
surgeries had to be postponed. The attack most likely started with a spear-phishing email, 
followed by the deployment of the ransomware. Ransomware is used in extortion attacks 
and is a type of malware that encrypts files and folders and prevents access to impor- 

tant files by the rightful owners. Cybercriminals who deploy the ransomware attempt to 
extort money from victims by asking for money—usually in form of cryptocurrencies—in 
exchange for the decryption key. Unfortunately, cybercriminals won't always follow through 
and unlock the files they encrypted, and they might also steal those files or threaten to 
disclose them on the Internet. 


One of the most challenging aspects of defending your systems against cybercriminals is 
recognizing when those systems are being used for some sort of criminal activity in the first 
place, such as when they are part of a botnet. A botnet is a network of compromised devices 
that an attacker controls without the knowledge of their owners. Botnets are not new; a 2012 
Microsoft study found that cybercriminals infiltrated insecure supply chains using the Nitol 
botnet, which introduced counterfeit software embedded with malware to secretly infect 
computers even before they were purchased. 


Data breaches can occur for different reasons, such as a malware compromise that allows 
data to be extracted or when a user member of a group has their credentials compromised. 
However, some data-breach scenarios occur because a device is lost, which can result in out- 
comes like the following: 

m Unauthorized users accessing data from a lost or stolen removable drive 
= Data leakage arising from a lost or stolen laptop or removable media that contains 
confidential information 


= Data leakage arising from user emails with sensitive content inadvertently being sent to 
an unintended recipient or recipients 


Encryption 


When migrating to the cloud, you should make sure that the data is protected no matter where 
this data is located. Data is stored and transferred over multiple systems, so you need to think 
about the different locations of the data over time. Figure 1-6 illustrates these stages. 
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FIGURE 1-6 Data locations over time 


Figure 1-6 illustrates the following five stages: 


1. Data at restin the user's device In this stage, the data is located at the end- 
point, which can be any device. You should always enforce data encryption at rest for 
company-owned devices and user-owned devices (bring your own device—BYOD). 


2. Datain transit from the user's device to the cloud When data leaves the user's 
device, you should ensure that the data is still protected. There are many technologies 
(for example, Azure AD Information Protection) that can encrypt the data regardless 
of the location. It is also imperative to ensure that the transport channel is encrypted, 
therefore enforcing the use of transport layer security (TLS) to transfer the data. 


3. Data at rest in the cloud provider's datacenter When the data arrives in the cloud 
provider's servers, their storage infrastructure should ensure redundancy and protec- 
tion. Make sure you understand how your CSP performs data encryption at rest, who is 
responsible for managing the keys, and how data redundancy is performed. 


4. Datain transit from the cloud to on-premises In this case, the same recommen- 
dations specified in stage two (data in transit from the user's device to the cloud) are 
applicable. Enforce data encryption on the file itself and encrypt the transport layer. 


5. Dataatreston-premises Customers are responsible for keeping their data secure 
on-premises. Data encryption at rest at the organization's datacenter is a critical step 
to accomplish that. Make sure you have the correct infrastructure to enable encryption, 
data redundancy, and key management. 
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While encryption is critically important, it is also critical to protect the keys used to encrypt 
and decrypt them (which may be managed by you or by the cloud provider). 


You should also consider other security controls to enhance the confidentiality and integrity 
of the information. You can digitally sign the message that you want to transmit. Based on that 
digital signature, the user can verify that the data has not been changed since it was signed. 
Another advantage of using this method is that the identity of the user who signed the data 
can also be verified. 


To enhance the integrity of the text that will be transmitted, you can also apply a hash of the 
text (also called a digest). The receiver can then compute a hash on the data received and com- 
pare the computed hash with the received hash. If it matches, this indicates that the received 
data has not been altered. 


MOREINFO DIGITAL SIGNATURES 


For more detailed information about digital signatures, see https://docs.microsoft.com/en-us/ 
windows/win32/seccrypto/digital-signatures. 


Cloud Adoption Framework 


The Microsoft Cloud Adoption Framework for Azure was designed to assist you with creating 
and implementing strategies that are necessary for your organization to adopt cloud technolo- 
gies successfully. It provides best practices, documentation, and tools that cloud architects, 

IT professionals, and business decision-makers can use to achieve short-term and long-term 
goals successfully. 


MOREINFO CLOUD ADOPTING FRAMEWORK 


To obtain the latest information about his framework, see https://docs.microsoft.com/en-us/ 
azure/cloud-adoption-framework/. 


Skill 1-2: Identity concepts 


This objective deals with the fundamental concepts of identity. These are the building blocks 
for more advanced identity and access management solutions later in this chapter. Many of 
these terms and concepts are universal for any identity platform and are well worth the time 
spent to understand them. Also, this section will cover how modern identity challenges have 
come to be and how those challenges gave rise to the need for Azure Active Directory. These 
concepts will also help you build a strong identity foundational knowledge that can be lever- 
aged for other Microsoft security certifications that you plan to obtain. This section covers the 
security concept skills according to the SC-900 exam outline. 
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Identity as the primary security perimeter 


Modern environments are going through another radical change. Previously, our work envi- 
ronments mostly existed on local intranets. Employees used their corporate computers from 
within the corporate offices to access company resources such as file servers. The firewall was 
the perimeter boundary for the network. Anything inside the firewall was a company resource 
and was considered safe. Anything outside was the Internet and could be malicious. 


Some users did portions of their job remotely by taking their corporate machines home 
with them. To access the corporate network, we added VPNs into the mix. Again, our firewalls 
were still the security perimeters for our environment. 


Eventually, we started to see the rise in cloud-based applications that lived solely on the 
Internet. At first, many companies still required users to access these resources from the corpo- 
rate network, either physically in the corporate office or remotely through a VPN. 


This strategy had drawbacks. First, network performance is not always ideal. It is slow and 
costly to use a high-speed Internet connection to send traffic back to the corporate network 
and then immediately send it back out to the Internet to the cloud resource and back the 
same way to the user. Second, users started using noncorporate, personally owned devices like 
mobile phones and tablets. Requiring them to use VPN to access the corporate network was 
not acceptable. 


Today, corporations have users who work from the corporate office, home, or in reality, 
anywhere. They access resources that can be on the corporate network or fully on the Internet. 
And they are doing all this from company-owned devices and personally owned computers 
and mobile devices. The traditional security perimeter is still useful, but it is not enough to 
protect a modern-day company. 


Identity is the only consistent thing across all these different combinations of scenarios in 
this modern environment, so it must be the new security perimeter for enterprises. This is a 
difficult shift in thinking for some companies to make, but it is clearly needed. With iden- 
tity as the security perimeter point of view, we need to increase our security in the identity 
space. As you'll see later in this chapter, Azure Active Directory’s conditional access will let 
us enforce policy to ensure security conditions are met before we allow access to resources. 
We also have several ways to strengthen our identity credentials with passwordless-based 
authentication and other forms of multifactor authentication (MFA) using Windows Hello 
for Business or an authenticator app. This is extremely important because identity is the 
starting point for many attacks. 


What is authentication? 


From a conceptual standpoint, authentication—sometimes abbreviated as AuthN—is simply 
the act of something or someone proving its identity to something else. In other words, a 
person or device proves that they are who or what they claim to be. You come across authen- 
tication many times in your daily life. When you log in to your computer with your username 
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and password, you have just authenticated. When you log in to check your email through a 
browser or an application like Outlook, you have authenticated with your email provider. When 
you pick up your mobile device and use a biometric such as a fingerprint or your face to unlock 
the device, you have completed authentication again. If you go to the ATM to withdraw money, 
you first need to provide a card and then a PIN. If you successfully authenticate, you can then 
withdraw money from your account (if you have funds). You complete authentication dozens of 
times a day and don’t even think about it. 


There are many different authentication factors, and we'll cover some of those in more 
depth later in this chapter. These authentication factors can be something you know, some- 
thing you have, or something you are. The most common factors are username and password. 
However, these are the most easily compromised by an attacker. Also growing in popularity, 
albeit slower than it should, is the use of multifactor authentication methods where multiple 
authentication method types are required to authenticate—usually, the username and pass- 
word, along with another form of authentication. Text messages or phone calls are the most 
common forms of multifactor authentication, but there are also methods such as a one-time 
passcode (OTP), where the passcode can be used only once and is usually good for a limited 
time. Authenticator apps, such as the Microsoft Authenticator app, send a push notification to 
the device that is approved by the user. As previously mentioned, biometrics such as finger- 
prints and facial recognition are commonly used. Non-human identities need to authenticate, 
too. Computers and services authenticate to each other using certificates, shared secrets (really 
just a password for an application), or specific protocols such as Kerberos. Authentication—it's 
not just for people! Figure 1-7 shows some of these common authentication methods. 
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FIGURE 1-7 Common authentication methods 


Figure 1-7 is not meant to show an exhaustive list of authentication methods; instead, it 
shows that there are many ways for someone or something to prove that it is who or what it 
claims to be. This can be human-to-service authentication or service-to-service authentication. 
Everything starts with authentication. 
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What is authorization 


Authorization is another critical part of identity and access management. Authorization is 
sometimes abbreviated as AuthZ. Conceptually, you can think of authorization as what some- 
thing is allowed to do. Once the system or services knows who you are—authentication—you 
have rights or permissions to do things—authorization. These rights can be as simple as view- 
ing a file (a grant permission) or denying the ability to view a file (a deny permission). You've 
probably experienced this when someone sends you a file or a link to a site, and when you tried 
to open the file or visit the site, you received an Access Denied error message. This means you 
don't have the authorization to access that resource. You experience authorization when you 
can or you are allowed to view a file or access a site. The difference is that you don’t get a mes- 
sage saying you are allowed to view it! You probably come across hundreds, if not thousands, 
of authorization decisions a day and don't even realize it (unless you get denied, of course). 


As we'll see in this chapter, authorization decisions can be made based on many factors. 
If you have a specific role assigned to your account, you might have inherited permissions in 
the system to add, modify, delete, or view things. This is commonly referred to a Role-Based 
Access Control (RBAC). For example, if you hold the Global Administrator role in Azure Active 
Directory, you can manage all aspects of Azure Active Directory. The Global Reader role can 
view all the same things as the Global Administrator role; Global Readers just don't have the 
ability to make any changes, as seen in Figure 1-8. We'll cover Azure AD Roles in more depth 
later in this chapter. 
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FIGURE 1-8 Administrative roles 


Authorization decisions might also be made by information about the user. For example, 
if you are a member of the sales organization, you would probably be a member of an Active 
Directory sales group. This group membership would grant you access to the sales depart- 
ment's shared network folder or a SharePoint site, but you wouldn't be able to access the engi- 
neering department's shared network folder or SharePoint site. Only those who are members 
of the engineering group would be able to access these resources. Typically, these decisions are 
made by Access Control Lists (ACLs) determined by the system administrator. 


Another example of authorization based on information about the user could be their title. 
When a regular user logs into their HR application, they see information about themselves, 
such as how many hours they've worked and their manager, pay stub, and information about 
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their benefits. They are only authorized to view their information. Their manager has a similar 
view but probably also has additional information they can see about their employees. They 
can see all the hours worked for their direct reports, but they can’t see this same information 
about other employees in the organization. Based on their title, managers are only authorized 
to see additional information about their direct reports. Finally, the head of HR might be able 
to see a wide range of information about the company. They might be able to see total hours 
worked for everyone in the company, total payroll, and benefits spent. Because they hold a 
high-ranking position, they are authorized to see all this information. Most authorization is 
done at the application level using this RBAC model. 


Authorization applies to non-human accounts as well. A service account can hold roles in 
Azure Active Directory, and it would have the same permissions as any human account with that 
role. Service accounts can also be members of groups. A common example of this is the service 
that runs the backups. Depending on the design, it might require membership to a high-privilege 
group, such as Backup Operators, in order to back up and restore files on the system. 


Hopefully, the concept of authorization is clear and straightforward for you. Authorization 
grants or denies permissions to various resources for both human and non-human accounts. 
However, the implementation details of this can be extremely complex. In the above example, 
the sales and engineering teams have access to separate corporate resources. 


However, what do these teams do when they need to collaborate on something? For exam- 
ple, let's say that the engineering team has a new product coming out, and the sales teams 
needs to be able to sell it. Following are some things you will need to consider: 


= Dowe add the sales team to the engineering group? 
m Should we add the engineering team to the sales group? 


= Ordo we create a new sales-engineering group and add the sales and engineering 
groups to that new group? 


This last option might seem like the right answer, but what do we do when the operations 
group also needs to work with engineering to ensure the production of the product meets 
engineering standards? Operations also needs to work with sales to make sure the supply 
chain is aligned with their sales projections. Do we create more groups for all three teams to 
work together? As you can see, this starts to grow and get out of hand. Having an authoriza- 
tion design for these types of scenarios is important before you start implementing an identity 
access management (IAM) solution. This type of scenario is pretty normal, and some of these 
decisions can be made ahead of time, but you will also need to plan for how you will handle 
exception cases and new scenarios that will arise. You will need that flexibility as business needs 
and scenarios grow. 


Lastly, we also need to make sure we are following the concept of least-privilege when it 
comes to authorization. Human and non-human accounts should only have the minimum autho- 
rization permissions required to accomplish their tasks. It is easy to grant more permissions—and 
things will work if we do that—but we'll pay the price later for those decisions, often in cata- 
strophic ways. It's also often much more difficult to remove permissions from users and non- 
human accounts after they are working. There is a fear that something might break or someone 
will not be able to do their job, either of which would impact the business. From the start, you 
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should take the time to ensure least-privilege is being followed for authorization decisions. Your 
future self will thank you. 


MOREINFO AZURE AD ROLES AND LEAST-PRIVILEGE ROLES 


You can learn more about Azure AD Roles and what they are authorized to do at https://aka.ms/ 
S$C900_AADRoles and https://aka.ms/SC900_TaskByLeastPrivilege. 


What is Active Directory? 


Windows Server Active Directory is a multi-master, on-premises directory service that has 

been built into the Windows operating system since Windows 2000. Typically, it is the primary 
on-premises identity directory for an enterprise and is widely used. (It is used by 95 percent 

of the Fortune 500 companies.) If you have seen the Ctrl+Alt+Delete screen at your corporate 
workstation, entered your corporate user name and password, and successfully logged in with 
a work account, you've used Active Directory. Numerous books have been written about Active 
Directory, and we can’t go into that depth about it here, though it is still important to under- 
stand the basics because we will build on these basics later in this chapter. 


Active Directory provides authentication, authorization, and usually a single sign-on experi- 
ence to corporate resources such as file servers, email, and other applications that access the 
local intranet. Active Directory will have accounts for users and computers, as well as accounts 
for applications and services. Groups and printers will also be stored in Active Directory. 

Active Directory supports many protocols like LDAP, NTLM, Kerberos, and DNS. It also has the 
functionality to apply security policies to computers and users through group policy. From an 
administrative perspective, all these objects can be managed hierarchically in containers and 
organizational units (OUs), as seen in Figure 1-9. 
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FIGURE 1-9 Active Directory Administrative Center using a hierarchical view of Active Directory 
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The boundary for Active Directory is the Active Directory forest. Everything in this forest 
trusts one another inherently. This boundary can be extended to other Active Directory forests 
as well. Typically, boundaries are used in merger and acquisition scenarios, as well as some 
older architectures that had separate resource forests for applications. 


Though still extremely popular, Active Directory is very much a product of the late 1990s 
and early 2000s. It was designed for a different world from what exists today. It was assumed 
that the resources you would be accessing were on the local intranet and that you would be 
physically in the office. If people had Internet access at home, it was through slow, dial-up 
connections. Very few people had “dumb” cell phones, and some people had pagers. Cloud- 
backed resources such as SaaS applications and the protocols they leverage (for example, WS- 
Fed, SAML, OAuth, and Open!|DConnect) hadn't been created yet. 


Once resources began leaving their intranets for the Internet, Active Directory began to 
face some challenges, chiefly providing secure access for corporate users to these modern 
resources from their corporate accounts. Enter the need for federation services. 


MOREINFO ACTIVE DIRECTORY COMPARED TO AZURE ACTIVE DIRECTORY 


You can see how features in Active Directory compare to features in Azure Active Directory at 
https://aka.ms/SC900_ADCompareToAAD. 


What are federation services and identity providers? 


Before we get into the components of federation services, it’s important to first understand 
why we need them. For example, let's say that an application doesn’t reside on a corporate 
intranet, so we need a way to leverage existing authentication methods. The easiest way to 
solve this dilemma is to create a username and password for that application, though doing so 
has some problems. The first problem is this requires each application to implement its own 
authentication stack and everything that comes with it, such as password resets and storage 
of these credentials. There are numerous cases where a vendor does not correctly store these 
usernames and passwords, and they end up being compromised. 


To make matters worse, users are likely to reuse their credentials across multiple applica- 
tions, including sharing credentials between work and home. Credential reuse presents an 
even bigger issue as the number of SaaS applications increases because the credentials are 
spread across all these applications. A compromise of one credential can lead to a compromise 
of all the remaining applications. 


The next issue is that applications typically need more than just a username to be useful 
to a user. Data points such as a user's job title, department, manager, and so on are leveraged 
in applications to allow functionality and provide authorization for user actions. As discussed 
previously, what a department head can view, add, delete, and change is much different from 
what an individual employee can do in that same application. This additional data would also 
need to be present in each of the SaaS applications. 


Federation services solve these issues. A detailed breakdown of the inner workings of 
federation protocols such as WS-Fed, SAML, OAuth, and OpenID Connect is well beyond the 
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scope of this book. However, some components and concepts apply to many modern authenti- 
cation protocols that are worth understanding. 


The identity provider—frequently abbreviated as IdP or IDP—handles the authentication 
of the user. The authentication can be via a web browser using forms-based authentication; 
authentication also can be done via integrated windows authentication (IWA) or an application 
using a web API. IDP is really user authentication as a service. Common examples of IDPs are 
Azure AD, Active Directory Federation Services (ADFS), and Ping Federate. The IDP will then 
issue claims to the application—also frequently called a resource provider—that trusts the IDP. 
The user is then signed into the application. 


Claims are information that is sent to the application/resource provider that, in this case, 
identifies the user and any additional information about the user that the application needs 
to function. The necessary information varies from application to application, but informa- 
tion such as title, manager, employee ID, and the like can be included in the claim. This claim is 
signed by the IDP using the IDP’s private key. 


Public key cryptography is used to digitally sign claims by the IDP using its private key. The 
application/resource provider uses the public key to validate the claim. The application vali- 
dates that the claim came from the IDP—assuming the private key has not been compromised 
and that the claims data has not been modified since it was signed. 


Before a user can authenticate, have information sent as a claim to the application, and 
access that information, a federation trust needs to be set up first. The setup details vary 
between federation protocols, but the IDP and the application will essentially exchange some 
information, such as the IDP public key and the application’s endpoints for authentication. 
Typically, this is in the trust’s metadata. 


The application or resource provider is what the user is accessing. Because the trust and 
exchange of metadata have happened previously, the application will trust the signed claims 
from the IDP. There are thousands of applications that support this federated authentication 
model, such as Office365, ServiceNow, and WorkDay. We can see all these pieces together in 
Figure 1-10, which shows an identity provider sending a signed claim to an application/resource 
provider. A two-way arrow connects the identity provider to the application/resource provider 
to indicate a trust and that metadata is being exchanged. 


Trust and metadata 


= -© — 


Identity 
provider 


Application/ 


Signed claim : 
resource provider 


FIGURE 1-10 Federation components working together 
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Common identity attacks 


The full set of attacks that can take place against an identity system is well beyond the scope of 
this chapter and this book. The good news is that 99 percent of all identity attacks fall into one 
of these three categories: credential reuse, password spray, and phishing: 


= Credential reuse As we've seen before, federation is very useful because users 
will use the same usernames and passwords at many different sites and applications. 
Often, they use the same passwords they use for their corporate credentials. When 
one of these sites or applications is compromised, the attacker will try those same 
credentials against many other resources, including corporate Azure AD, as shown in 
Figure 1-11. 


D 


Cloud app 


D 


0 => Azure AD 
Attacker with a 


valid username 
and password 


D 


Website 


D 


Website #2 


FIGURE 1-11 Attackers use stolen usernames and passwords on various resources 


= Password spray Users also follow very predictable password patterns. Often, this is 
caused by corporate password policies that require users to change their passwords 
every 30 days because users often will select the month, the year, and a special charac- 
ter. For example, a user might use “September2021!" if passwords are changed monthly 
or “Winter2021!" if passwords are changed quarterly. Attackers then try this same 
password against all the users in the directory, frequently leveraging legacy protocols 
that cannot use MFA, such as IMAP4, POP3, or SMTP. This type of attack can be seen in 
Figure 1-12. 
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FIGURE 1-12 Attacker using an easily guessed password against multiple Azure AD tenants 


m Phishing Phishing is probably the identity attack that people are most familiar with. 
This is when an attacker tries to impersonate a legitimate service and tries to get the 
user to enter some sort of personal information—usually their usernames and pass- 
words. Attackers then use these credentials against the service to impersonate the user. 
In some more advanced cases, the attacker will also try to get the user to input their 
MFA prompt as well. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Contoso’s Journey to the Cloud 


You are one of the IT administrators for Contoso, an online general store that special- 
izes in a variety of products for the home. Contoso is starting its journey to the cloud, 
and you need to evaluate different cloud providers to understand their privacy princi- 
ples and compliance resources. It is very important to Contoso that this cloud provider 
takes privacy seriously and won't use their information for advertising purposes. 


Thought experiment 
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You are going to lead the creation of a new cloud security team at Contoso, and one 
of the charters of this team is to ensure the use of zero-trust methodology across 

all available segments. Contoso plans to start its journey to the cloud by migrating 
some workloads to laaS while keeping some workloads on-premises. The only PaaS 
service Contoso plans to use is the identity provider, which the company wants to 
make sure is synchronized with its on-premises Active Directory. Lastly, Contoso also 
wants to make sure that the cloud provider they choose has a one-stop-shop site, 
where they can find all privacy and compliance-related information, and the com- 
pany needs to be able to customize the relevant documents that may be important 
to them. 


With this information in mind, answer the following questions: 


1. Who is responsible for maintaining the operating system updates on VMs in an laaS 
scenario? 


2. Which Microsoft privacy principles address Contoso’s concern about the use of 
personal information for advertisement? 


3. What zero-trust guiding principle ensures that you always authenticate and 
authorize access based on all available elements? 


4. What is the name of the portal that provides privacy and compliance-related 
information that can be customized? 


Thought experiment answers 


This section contains the solution to the thought experiment. 


1. In an laaS scenario, the customer is responsible for updating the operating system 
running on the VMs. 


2. No content-based targeting. 
Always verify. 


4. Microsoft Service Trust Portal. 


Chapter summary 


m Zero-trust guiding principles are always verify, use least-privilege access, and assume 
breach. 


m Zero-trust should be applied across the following segments: identity, endpoint, data, 
apps, infrastructure, and network. 


= Microsoft's vision of zero-trust also suggests full visibility across all those elements in an 
integrated dashboard. 
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Cloud providers adopt the shared responsibility model that adjusts itself according to 
the cloud service model—Infrastructure as a Service (laaS), Platform as a Service (PaaS), 
and Software as a Service (SaaS). 


Regardless of the type of deployment, the following responsibilities are always retained 
by the customer: data, endpoints, account management, and access management. 


Defense-in-depth increases an attacker's risk of detection while reducing an attacker's 
chance of success. 


Phishing attacks attempt to steal sensitive information through emails, websites, text 
messages, or other forms of electronic communication. 


Data breaches can occur for different reasons. The system could be compromised by 
malware that extracted the data, or it could be a scenario in which a user inadvertently 
granted access to a broad group of users, and one member of that group had his cre- 
dentials compromised. 


While encryption is becoming imperative, you should also consider other security con- 
trols to enhance the confidentiality and integrity of the information. You can digitally 
sign the message that you want to transmit, and based on that digital signature, the user 
can verify that the data has not been changed since it was signed. 

Identity is the new security perimeter, and foundational concepts like authentication, 
authorization, and federation with identity providers are the heart of Azure Active 
Directory. 

Hybrid identity is extremely common and leverages existing Active Directory deploy- 
ments to extend into Azure Active Directory via Azure Active Directory Connect, 
allowing users to authenticate via password hash sync, pass-through authentication, 

or federation. 

Azure AD is a full IAM system made up of users, devices, groups, and applications. Users 
can be external users from partner companies, or they can be consumer identities. 
Azure AD has many different authentication methods such as password, multifactor 
authentication, and passwordless credentials, such as Windows Hello for Business. 
Multifactor authentication is a combination of something you know, something you 
have, or something you are. 
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Microsoft Identity and Access 
Management Solutions 


Identity and access management is a core foundational piece for security and compliance. 
Everything today starts with identity. Users have identities to access resources such as appli- 
cations, and they can do that from anywhere on the planet. Applications themselves have 
identities to define their permission scopes. Computer objects have identities and can be 
used as a factor to make access decisions. Understanding identity concepts and capabilities is 
a requirement for properly achieving security and compliance in your organization. 


Skills in this chapter: 
m Define the basic identity services and identity types of Azure AD 
m Describe the authentication capabilities of Azure AD 
m Describe access management capabilities of Azure AD 


m Describe the identity protection and governance capabilities of Azure AD 


Skill 2-1: Define the basic identity services and identity 
types of Azure AD 


This objective deals with the fundamental concepts of Azure Active Directory. In this section, 
you'll learn what Azure Active Directory is and its key enterprise features. You'll also learn 
about internal and external identities, and you'll also learn about hybrid identity and the dif- 
ferent ways to authenticate to Azure Active Directory. This skill provides the building blocks 
of Azure Active Directory. 


Describe what Azure Active Directory is 


Azure Active Directory is Microsoft's cloud-based Identity-as-a-Service (IDaaS) offering. It is 
an Identity and Access Management (IAM) product with 200,000 customers (corporations/ 
business entities), 425 million monthly active users, and 30 billion authentications processed 
each day! Many of the IAM features are covered throughout this chapter, but let's take a 
high-level view of some of the key features to help give you an idea of what makes up Azure 
Active Directory. 
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Applications 


Azure Active Directory is the Identity Provider (IDP) for Microsoft applications such as 
Office365 and Azure. It also leverages modern protocols such as WS-Federation, SAML, OAuth, 
and OpenID Connect to integrate with non-Microsoft applications. The Azure AD Application 
Gallery has thousands of pre-integrated applications to make authentication to these apps 
easy to set up. Also, the Application Gallery uses the SCIM (System for Cross-domain Identity 
Management) protocol for provisioning users to and de-provisioning users from these applica- 
tions. If the application is not in the gallery, you can still integrate it with Azure Active Directory 
yourself, or you can request that it be added to the gallery. 


MOREINFO ADDING APPLICATIONS TO THE AZURE ACTIVE DIRECTORY APPLICATION 
GALLERY 


You can request applications to be added to the Application Gallery here: https://aka.ms/ 
SC900_AddToAAADAppGallery. 


Application proxy 

Application proxy is used to provide remote access to on-premises web applications. This 
allows any conditional access policies to apply when accessing these on-premises applications 
without making any changes to the application itself. This is an excellent way to leverage your 
cloud-based identity security to protect your existing on-premises applications. All connectiv- 
ity is outbound to Azure AD. These applications will appear to the user as any other applica- 
tion. There is no difference to the user if the application is on-premises or in the cloud. They 
access it the same way. 


Authentication 


Skill 2-2 is focused on the authentication aspects of Azure Active Directory, such as password 
hash sync (PHS), pass-through authentication (PTA), federation, self-service password reset 
(SSPR), multifactor authentication (MFA), Windows Hello for Business, and Azure AD Password 
Protection. 


Access management 


Skill 2-3 is focused on the access management aspects of Azure Active Directory, specifically 
the conditional access feature. At a high level, you can define which users or groups must meet 
a specific criterion such as completing MFA or having a specific device or platform type before 
they can access a resource, such as a specific application or the applications in your tenant. 
There are also many different Azure Active Directory roles that can be assigned to admin- 
istrators to follow the principle of least privilege while also granting the necessary access to 
perform the tasks they need to perform. 


Devices 


Intune is the primary device management platform for cloud-based devices, but there 
are device objects in Azure Active Directory that are Azure AD-registered, hybrid Azure 
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AD-joined, or Azure AD-joined. We'll cover hybrid Azure AD-joined devices in more detail in 
the next section, but these devices can be used as a control in conditional access that must be 
met before accessing the resource. Just be aware that devices do exist in Azure AD, but the tra- 
ditional management you think of with group policy Objects (GPOs) is performed from Intune. 
However, there is a tight relationship between Azure Active Directory and Intune. 


Domain services 


Azure Active Directory Domain Services enables you to join your Azure virtual machines to a 
traditional Active Directory domain. This is completely separate from your on-premises Active 
Directory domain, but it is populated from your Azure Active Directory tenant. You can think of 
this more as a resource forest for legacy protocols like NTLM, Kerberos, and LDAP for applica- 
tions that have been lifted and shifted into Azure. 


External identities 


Azure Active Directory enables easy collaboration with other companies using Azure AD 
Business-to-Business (B2B) that are sharing resources like documents or accessing applications. 
You would use Azure AD Business-to-Consumer (B2C) if you are creating customer-facing apps 
that are fully featured Customer Identity and Access Management (CIAM) solutions. Azure 
Active Directory B2C is a totally separate Azure Active directory. Both Azure AD B2B and Azure 
AD B2C support conditional access. 


Governance 

Skill 2-4 is focused on the governance aspects of Azure Active Directory. These features include 
Access Reviews and Entitlement Management. The primary focus of governance is to deter- 
mine which users should have access to which resources. The governance process also needs to 
be auditable to verify that it is working. 


Reporting 

Various log sources are available, including directory changes in audit logs to sign-in logs for 
both interactive and non-interactive events. Azure AD also includes logs for applications and 
managed-service identities, which are a specific type of application identity. These can all be 
accessed in the Azure Active Directory portal or exported to Log Analytics, Microsoft Sentinel, 
or any other SIEM. 


EXAM TIP 


Remember what the different features are used for Azure AD and which problems they solve 
for a company. 
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Licensing 
Azure Active Directory has three levels of licensing: 


m Azure AD Free Azure AD Free provides user and group management, as well as direc- 
tory sync. This is included when you sign up for Office 365 or Microsoft 365 resources. 


= Azure Active Directory Premium1 This level is where most of the features discussed 
in this chapter are included. This includes conditional access, self-service password reset 
with writeback, dynamic groups, and much more. 

= Azure Active Directory Premium 2 This level includes governance capabilities, such 
as access reviews, entitlement management, and privilege identity management. It also 
includes identity protection advanced security features. 


MOREINFO AZURE ACTIVE DIRECTORY FEATURES BY LICENSE 


For a detailed breakdown of what features are included in each license level, see https://aka. 
ms/SC900_AADLicensing. 


EXAM TIP 


Remember which features are part of Azure AD P2. The rest are included in Azure AD P1. 


Describe what hybrid identity is 


Very few customers are starting with a completely greenfield environment (a from-scratch 

and totally new environment) with only Azure Active Directory accounts accessing only cloud 
resources. Most customers are in a hybrid-identity state with their Azure AD tenant(s) con- 
nected to an on-premises AD. This is where user accounts need to exist in both the on-premises 
Active Directory and in Azure Active Directory. The user might access a local file server and 
then access their email in Office365. They need to be able to do this with one seamless account. 
Hybrid identity makes this possible. If you want to leverage your existing Active Directory envi- 
ronment and take advantage of Azure Active Directory, you'll need to use a hybrid identity. 


There are two distinct components to a hybrid identity setup: 
m Syncing of the users and their attributes from Active Directory to Azure Active Directory. 


m Authenticating to Azure Active Directory using credentials from on-premises Active 
Directory. This can be accomplished via PHS, PTA, or federation. 


AZURE ACTIVE DIRECTORY CONNECT 

Azure Active Directory Connect is the primary tool used to create users, groups, and other 
objects in Azure Active Directory. The information is sourced from your on-premises Active 
Directory, which is the usual scenario for most customers who are using a hybrid identity. 
Changes in your on-premises directory to those objects are automatically synced to Azure Active 
Directory. The source of authority (SOA) for these objects is the on-premises Active Directory. 
This means the sync is a one-way sync from Active Directory to Azure Active Directory. 
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Azure AD Connect has a very robust setup wizard to help you with this process. You use the 
express setup, which will choose the default options for you, or you can do a custom installa- 
tion to get extremely granular with your choices. You can select which objects will be synced to 
Azure Active Directory (and which attributes of those objects, if needed). 


Another part of the setup wizard helps you pick which authentication method your users 
will use to authenticate to Azure Active Directory, as shown in Figure 2.1. 


@ Microsoft Azure Active Directory Connect 


Welcome User sign-in 


Express Settings i 
P ing Select the Sign On method. (?} 


Required Components 


ee 


Saud ib RARE AD © Pass-through authentication @ 
O Federation with AD Fs @ 


Sync 
s R O Federation with PingFederate @ 
Connect Directories g 
g © Do not configure 6 
Azure AD sign-in 
Domain/OU Filtering select this option to enable single sign-on for your corporate desktop users: 


Identifying users 


Enable single sign-on @ 
Filtering 


Optional Features 


Configure 


FIGURE 2-1 User sign-in options 


Azure AD Connect is a key piece of hybrid infrastructure and must be protected the same 
way you would protect a domain controller in Active Directory. If an attacker were to get access 
to an Azure AD Connect server, this would be the security equivalent of getting access toa 
domain controller. 


MOREINFO AZURE ACTIVE DIRECTORY CONNECT 


You can read more about customizing the Azure AD Connect Sync at https://aka.ms/ 
S$C900_AADConnectCustomize. 


PASSWORD HASH SYNCHRONIZATION 

The current credentials in on-premises Active Directory are synced to Azure AD through Azure 
AD Connect. The on-premises password itself is never sent to Azure Active Directory but the 
password hash. The hashes stored in Azure Active Directory are completely different than the 
hashes in on-premises Active Directory. Active Directory password hashes are MD4, and Azure 
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Active Directory password hashes are SHA256. The user authenticates to Azure Active Direc- 
tory by entering the same password they use on-premises. For the detailed cryptographic 
specifics on how this process works, see the More Info item below. 


MOREINFO AZURE ACTIVE DIRECTORY CONNECT PASSWORD HASH SYNC DETAILS 


You can read more about the Azure AD Connect Sync Password Hash Sync at http://aka.ms/ 
aadphs. 


You can also select password hash sync as an optional feature in Azure AD Connect if you 
are using PTA or federation as your primary authentication method, as seen in Figure 2.2. This 
gives you two benefits: 


m Azure Active Directory can alert you when the username and password are discovered 
online. There will be a leaked credential alert for that user. 


m |f something catastrophic happens to the on-premises Active Directory, an admin can 
flip the authentication method to password hash sync. This would allow users to still 
access cloud resources when the full disaster recovery plan is being executed. 


Password hash synchronization should be used as the default authentication choice unless 
there are specific requirements not to do so. 


® Microsoft Azure Active Directory Connect Sit. 


Optional features 


Express Settings ee A ee 
i z Select enhanced functionality if required by your organization. 
Required Components 


User Sign-In Exchange hybrid deployment @ 
Connect to Azure AD Exchange Mail Public Folders @ 
Sync C Azure AD app and attribute filtering @ 


Connect Directories 


[7] Password hash synchronization @ 


Azure AD sign-in 


Password writeback @ 
Domain/OU Filtering 
; Group writeback @ 
Identifying users 


Filtering Device writeback @ 


Optional Features Directory extension attribute sync e 


Configure 


Learn more about optional features. 


FIGURE 2-2 Password hash synchronization 
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PASS-THROUGH AUTHENTICATION 

With pass-through authentication, the user's password is validated against the on-premises 
Active Directory using PTA agents. When a user goes to authentication to Azure AD, the user- 
name and password are encrypted and put into a queue. The on-premises PTA agent reaches 
outbound to Azure AD, picks up the request, decrypts the username and password, and then 
validates it against Active Directory. It then returns to Azure AD if the authentication was 
successful. This allows for on-premises policies such as sign-in-hour restrictions to be evalu- 
ated during authentication to cloud services. The password hash doesn’t need to be present 
in Azure Active Directory in any form for PTA authentication to work. However, PHS can be 
enabled as an optional feature. 


The first PTA agent is usually installed on the Azure AD Connect server. It’s recommended 
that you have a minimum of three PTA agents for redundancy. You can see the total number 
of PTA agents installed at the Azure AD Connect page in the Azure AD Portal shown in 
Figure 2-3. 


Home > Default Directory 
4 Default Directory | Azure AD Connect 
>F Azure Active Directory 


z X Troubleshoot EJ Refresh Q Got feedback? 


a Users 
£8 Groups PROVISION FROM ACTIVE DIRECTORY 
7 Azure AD cloud syne 
ia External Identities 
This feature allows you to manage sync configurations from the cloud, in addition to syncing Active 
&, Roles and administrators Directory users and groups from disconnected forests. 
& Administrative units Manage Azure AD cloud sync 
B} Enterprise applications Azure AD Connect sync 
Ci) Devices Sync Status Enabled 
E App registrations Last Sync Less than 1 hour ago 
(8) Identity Governance Password Hash Sync Enabled 


E Application proxy 
USER SIGN-IN 


oy Licenses 
Federation Disabled 0 domains 
“> Azure AD Connect => 
Seamless single sign-on Disabled 0 domains 
Custom domain names 
= Pass-through authentication Enabled 1 agent 


@® Mobility (MDM and MAM) 


FIGURE 2-3 Pass-through authentication agent installed 


To see the specific IPs of the PTA agents, click Pass-Through Authentication, as shown 
in Figure 2-4. The maximum number of PTA agents per tenant is 40. The servers running 
PTA agents should also be treated and protected the same as you would protect a domain 
controller. 
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Home > Default Directory > 


Pass-through authentication 


Azure Active Directory 


J Download YX Troubleshoot Ç) Refresh 


Authentication Agent IP Status Warnings 
YV Default group for Pass-through Authentica... (i) 
DC900.corp.contoso.com 73.35.191.191 @ Active 


FIGURE 2-4 Pass-through authentication agent installed details 


PTA should be used as an authentication choice if password hash sync cannot be used or if 
sign-in hour restrictions are required. Also, PTA is useful for a company that is trying to move 
away from federated authentication but doesn’t want to move to password hash sync yet. 


MOREINFO PASS-THROUGH AUTHENTICATION 
You can learn more about the details of how PTA works at https://aka.ms/SC900_PTADeepDive. 


FEDERATION 

This allows users to authenticate to Azure AD resources using credentials provided by another 
identity provider (IDP). In the Azure AD Connect set up, when you choose the Federation 
With AD FS option, Active Directory Federation Services is installed and configured. Also, a 
Web Application Proxy (WAP) server is installed to facilitate communication between the on- 
premises AD FS deployment and the Internet. The WAP should be located in the DMZ. The AD 
FS server should never be exposed to the Internet directly. Federation is the most complicated 
identity authentication configuration. There are few reasons why federated authentication to 
Azure AD would be needed, and doing so should be the last choice when evaluating PHS, PTA, 
and federation. 


At the time of this writing, Smart Card authentication is not supported in Azure AD. If that is 
a core requirement, then you will need to use federation. If a custom MFA provider is needed 
that is not available in Azure AD, you will need to use federation for authentication. 


Finally, AD FS servers should be protected and treated the same way as domain controllers. 
If an attacker were able to get access to the AD FS server, they could sign claims impersonating 
any user in the directory. 


MOREINFO CHOOSING THE RIGHT AUTH METHOD FOR YOUR HYBRID IDENTITY 


If you are unsure which method is best for you, follow the decision tree located at https://aka. 
ms/SC900_ChooseTheRightAuthN. 
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EXAM TIP 


Make sure to understand what a hybrid identity is, as well as the associated components 
that are used in a hybrid identity configuration. 


Describe Azure AD identities (users, devices, groups, 
and service principals/applications) 


Azure AD identities are made up of four main categories of identities: users, devices, groups, 
and applications. All of these will be present in your Azure AD tenant. 


USERS 

User identities are typically connected to a person. These are the identities that you tradi- 
tionally think of when users authenticate to a resource. When someone starts working at a 
company, they are given a user identity that is used to identify the user across various applica- 
tions and services, such as 0365 or external SaaS applications. User identities can be added to 
groups or distribution lists, and they can hold administrative roles. Authorization decisions are 
made against user identities. User identities can be members of your organization or outside of 
your organization, as will be discussed later in this skill. 


As covered in the “Describe what hybrid identity is” section, user identities are most typically 
synced from on-premises Active Directory via Azure AD Connect. The attributes of the user, 
such as name, department, and office phone, can all be synced in Azure AD Connect. 


User identities can also be created in Azure AD directly. An on-premises Active Directory is not 
needed. Population of additional user data, such as department, is still needed. This is usually 
provided by some other system as part of user onboarding. Both user identity types can be 
seen in Figure 2-5. 


When the term identity is used, its most likely referring to a user identity. 


Home > Default Directory 


a Users | All users (Preview) 


Default Directory - Azure Active Directory 


jas + Newuser -+ Newguestuser [1] Bulk operations v () Refresh ¿© Reset password CA Multi-Factor Authentication 

È Allusers (Preview) 

This page includes previews available for your evaluation. View previews —> 
& Deleted users (Preview) @ This pag ki; F 

Password reset 

t ea [© Search users Fy Add filters 
& User settings 7 users found 
X Diagnose and solve problems Name ti User principal na... \) User type Directory synced 
Activity g (0) Admin Admin@markmorowh... Member No 
Ə Sign-ins O @ Kevin McKinnerney Kevin@markmorowho... Member Yes 
BH Audit logs O @ Mark Mark@markmorowhot... Member Yes 
& Bulk operation results g (a) Mark Morowezynski markmorow_hotmail.c... Member No 

© Nicholas Dicola Nicholas@markmoro.... Member Yes 
Troubleshooting + Support — 
= @ On-Premises Directory S.. Sync_DC900_b378defa.._ Member Yes 
2 New support request 

@ Yuri Diogenes yuri@markmorowhot... Member Yes 


FIGURE 2-5 All users in Azure AD, including synced and cloud-only users 
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DEVICES 

Devices also have an identity in Azure AD. There are three types of device identities in Azure 
AD, but we're including an on-premises device identity, so there is a complete picture for all 
device states that you will encounter. 


= Domain-joined computer First, we have a traditional domain-joined computer. This 
is usually a corporate-owned device that is joined to the on-premises Active Directory. 
The on-premises Active Directory account is used to sign-in. This is probably the device 
identity type you are the most familiar with and has been used since Active Directory 
first arrived in Windows 2000. 


= Hybrid Azure AD-joined device Next, there is the hybrid Azure AD-joined device, 
which is where the device is domain-joined to Active Directory but also has an identity 
in Azure AD. Typically, this identity is created through the Azure AD Connect sync pro- 
cess when syncing computer accounts to Azure AD. The account that is used to log in to 
the device is still an on-premises Active Directory account. However, because this device 
has an identity in Azure AD, this can be used as part of the conditional access controls. 
It also gives users a better user experience by reducing prompts for Azure AD—-backed 
applications. 


= Azure AD-joined Azure AD-joined devices are directly joined to Azure AD. Instead 
of being domain-joined to on-premises Active Directory, it’s joined directly to Azure AD. 
Intune is used to apply policy and manage the Azure AD-joined device. With an Azure 
AD-joined device, the Azure AD account is used to log in. A device cannot be domain 
joined to both Active Directory and Azure Active Directory at the same time. 


= Azure AD-registered Typically, this is a personal device, such as a mobile phone 
or a personally owned computer. This is mostly used for BYOD scenarios where some 
corporate resources are needed, but a device is not provided. Intune is used to provide 
some light management capabilities. A local account, perhaps a Microsoft account, 
is used to log in, not a corporate Active Directory or Azure Active Directory Account. 
Azure AD-joined, hybrid Azure AD-joined, and Azure AD-registered can all be seen in 
the Devices section of the Azure AD portal as shown in Figure 2-6. 


Home > Default Directory > 


| Devices | All devices 


Default Directory - Azure Active Directory 


kad Disable [i] Delete lanage Lb Download devices (Preview) () Refresh | == Columns | ES] Preview features Ç? Got feedback? 


Gi All devices 

@ This page includes previews available for your evaluation. View previews => 

&3 Device settings 

83 Enterprise State Roaming 7 
You can use the activity timestamp to efficiently manage stale devices in your environment. Learn more cf 

Æ BitLocker keys (Preview) 


K Diagnosa and solve problems P Search by name or device ID or object ID | Hy Add filters 


a Name Enabled os Version Join Type Owner MDM Compliant 
Activity 


E Audit logs CO GirersonalMachine © Yes Windows 10.0.19042.789 Azure AD registered Mark None N/A 


& Bulk operation results (Preview) CD Gi DeskTOP-26765.. © Yes Windows 10.0.19042.789 Azure AD joined Mark None N/A 


oO E wintop) © Yes Windows 10.0.19042.928 Hybrid Azure AD join... N/A None N/A 
Troubleshooting + Support 


B New support request 


FIGURE 2-6 All devices in Azure AD 
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GROUPS 

Groups are a collection of users or devices. They are used to specify an action or apply a policy 
on many of these objects at once instead of doing it individually. For example, if we want to 
grant everyone in the sales department access to a sales application, we can assign the sales 
group instead of assigning each member individually. We can also apply licenses to the group, 
and all members will receive the license assignment. This allows the admin to take actions at a 
greater scale. 


There are several types of groups that you can use in Azure AD: 
m You can sync your on-premises groups from Active Directory to use as a security group. 


m You can also create an Azure AD security group where the membership is assigned 
directly to the group. 


m The group can also be made to be of a dynamic membership based on attributes on the 
user or the device. 


The different group types and membership types are shown in Figure 2-7. 


Home > Default Directory > Groups > 


New Group 


Group type“ © 


| Security Vv | 


Group name * © 


| Enter the name of the group | 


Group description © 


l Enter a description for the group ) 


Azure AD roles can be assigned to the group (Preview) © 
Ce E 


Membership type * © 


| Dynamic User v 


Owners 


No owners selected 


Dynamic user members * © 


Edit dynamic query 


FIGURE 2-7 New Group creation 


Using the previous sales team example, a dynamic group could be made where when the 
department equals Sales, which means they are automatically in the group (see Figure 2-8). 
These dynamic groups are constantly reevaluating and adding and removing members. The 
automation that can be built around dynamic groups is tremendous. 
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Home > Default Directory > Groups > New Group > 


Dynamic membership rules ~ x 


GG] save X Discard Q Got feedback? 


Configure Rules Validate Rules (Preview) 
You can use the rule builder or rule syntax text box to create or edit a dynamic membership rule.© Learn more 
And/Or Property Operator Value 


department Equals Sales uj 


++ Add expression + Get custom extension properties © 


Rule syntax 2 Edit 
user.department -eq "Sales") 


FIGURE 2-8 Dynamic Membership Rules 


Microsoft 365 groups—sometimes referred to as unified groups—is a newer group type 
and represents the future direction for resource permissions in Microsoft 365, such as Teams, 
SharePoint, and Exchange Online. One group can be used to ensure consistent access with 
minor administrative effort across the Microsoft 365 suite of applications. 


APPLICATIONS 

Nobody logs into anything for the fun of it. Users log in to do something important to them, 
such as send an email, check their paystub, or access a line-of-business application. Applica- 
tions are the day-to-day drivers for users, and there are lots of applications in Azure AD. 


As described earlier, Azure AD supports open standards such as SAML, OAuth, and OpenID 
Connect. Any applications that support these protocols can be integrated into Azure AD. Azure 
AD also has an Application Gallery where Microsoft has worked with these different applica- 
tion providers to make the setup as easy as possible. The Application Gallery can be seen in 
Figure 2-9. Azure AD also can work with your on-premises web applications using Azure AD 
Application Proxy, as described earlier. 


Line-of-business applications can also be updated to use Azure AD authentication. Because 
Azure AD supports open standards, any language that has a library for SAML, OAuth, or OpenID 
Connect can integrate with Azure Active Directory. Microsoft also has the MSAL library to sim- 
plify the authentication process for many common languages, such as .NET, ASP.NET, Node.js, 
Java, Python, iOS, macOS, Android, and Xamarin. 


MOREINFO MSAL LIBRARIES 
To learn more about the MSAL libraries available, see https://aka.ms/SC900_MSAL. 
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Home > Default Directory > Enterprise applications > 


Browse Azure AD Gallery 


++ Create your own application (D) Request new gallery app Q Got feedback? 


(© You're in the new andi Improved app galery experience, Click here to switch back to the legacy app gallery experience, => 


Cloud platforms 


Amazon Web Services (AWS) Google Cloud Platform 


aws & 


— 


your on-premises applications. 


S) Federated sso @_ Provisioning 


Featured applications 


Adobe Adobe >> 


A Search application Single Sign-on : All User Account Management : All Categories : All 


Oracle 


SAP 


Google Cloud 
On-premises applications 
Add an on-premises application Learn about Application Proxy Manage Application Proxy connectors 
Configure Azure AD Application Proxy to enable secure remote access. Learn how to use Application Proxy to provide secure remote access to Connectors are lightweight agents that sit on-premises and facilitate 


the outbound connection to the Application Proxy service. 


2 


‘Adobe Creative Cloud ‘Adobe Identity ADP GlobalView Atlassian Cloud 
A Microsoft Corporation A Management (Deprecated) Atlassian 


FIGURE 2-9 Azure AD application gallery 


Application identities can be seen in the Enterprise Apps section of the Azure AD portal, as 
shown in Figure 2-10. These are called service principals. These define the access policy and per- 
missions for the application insofar as what it can do in the tenant. There is a lot of developer 
detail beyond the scope of this exam, but here is a real-world example: When applying a condi- 
tional access policy, such as requiring users to complete MFA before accessing an application, 
you apply conditional access policy to a service principal. These are automatically added to the 
tenant when you integrate an application from the Application Gallery, consent to an applica- 


tion, or add an app proxy application. 


Home > Default Directory > Enterprise applications 


gss Enterprise applications | All applications 


BEE Default Directory - Azure Active Directory 

+ New application | == Columns | E Preview features | ©) Got feedback? 
Overview 

© Tryout the new Enterprise Apps search preview! Click to enable the preview. => 
© Overview 
È Diagnose and solve problems Application type Applications status Application visibility 
‘i [ Enterprise Applications | [Any v) [Any RARE Ary | Reset | 
anaye 
EI Al applications [ Fst 50 shown, to search all of your applications enter a display name or the application 1D. 
pagaen Name Homepage URL Object 10 ‘Application 1D 
User settings [Ey cortesotosapp 285fd013-e90c-4a11-b9F4-cbd6BbI2dSH7  59789196-5a3e-462a-b6ed-e6a3dc516eb8 
collections Office 365 Exchange Online bitpy//ofice microsoft. convoutlook! 544641 3c-e663-4553-b065-d6326d4b028b 00000002-0000-0ff1-ce00-000000000000 
eile BBY tte 365 management aps eb71157b-ddf1-46e6-8952-1¢09163b03e7  c5393580-f805-4401-95e8-94b7a6ef2fcd 

SharePoint Onlin i „de3a-4187-9634- 0000-04" -c200+ 

© Conditional Access JJ Office 365 SharePoint Online httpy//office.microsoft.com/sharepoint/ 30615b33-de3a-4b87-9634-fa700981b9cb  00000003-0000-0ff1-ce00-000000000000 
© Consent and permissions FE owwookcrowps 352debae-f31c-4ff1-aeca-aSec9f03cd3b  925eb0d0-da50-4604-a19f-bdëde9147958 
4 p see tor Business onine 3e7CS07f-1c78-4365-af71-8eec3e6901b2  00000004-0000-0ff1-ce00-000000000000 
tivity 


 sign-ins 


Ai Usage & insights 


Audit logs 


FIGURE 2-10 Azure AD Enterprise Applications 
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A second type of service principal is called a managed identity. This is typically for develop- 
ers, but it can really be used by anyone managing Azure resources that access Azure Active 
Directory authentication. The idea is that there no credential management needs to be done 
for the application. Without managed identities, a developer would need to rotate either a 
shared secret (a password for an application) or a certificate at regular intervals. These creden- 
tials need to be protected as well. With a managed identity, the service handles the storage 


and rotation. 


MOREINFO AZURE AD MANAGED IDENTITIES 


To learn more about Managed Identities, see https://aka.ms/Managedidentities. 


The final type of application identity is the application object created by application 
registration. This configures the application to use Azure AD identities for authentication (in 
your tenant or by other people's Azure AD tenants if you choose to allow that) and results in 
an application object being created in Azure AD. Things like the application uniform resource 
identifier (URI) and permissions of the application are defined in this object. Every application 
object (created through the Azure portal or by using the Microsoft Graph APIs or the Azure AD 
PS Module) also creates a corresponding service principal object that inherits certain proper- 
ties from that application object. This is located in a tenant, but it would not be in your tenant 
unless it were an application your company was developing (see Figure 2-11). 


Home > Default Directory 


ge Default 
i5 o 


} New registration @ Endpoints 2 Troubleshooting | Download El Preview features ` G? Got feedback? 


© Toy out the new App registrations search preview! Cek to enable the preview. > 


id any new features to Azure Active ion Library (ADAL) and Azure AD Graph. We will continue to provide technical support and security updates but we will no longer provide% 
ft Graph. Leam more 


© Starting June 30th, 2020 we wil no longer add any new feature Directory Authentication Li 
feature updates. Applications wil need to be upgraded to Microsoft Authentication Library (MSAL) and Microso! 


Deleted applications (Preview) Applications from personal account 


All applications Owned 


Application (client) ID Created on Certificates & secrets 


p eo 59789196-Sa3e-A62a-béed-e6a3dc516eb8 5/6/2021 © Current 


FIGURE 2-11 Azure AD Application Registration 


Putting it all together with a few examples should clarify what administrators see in the por- 
tal. Contoso is using Office 365. There will be a service principal for Office 365 Exchange online, 
Office 365 SharePoint online, and so on in their Enterprise Apps. There will not be an application 
registration for those applications. The application registration would be in the Microsoft tenant, 
not in the Contoso tenant. The only thing Contoso would see is the service principal in Enter- 
prise Applications. This applies to any application added from the gallery or that is manually 
added. Contoso is moving its line-of-business application to leverage Azure AD authentication. 
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In this scenario, there would be an object for this line-of-business application in the Application 
Registrations section and a service principal object in the Enterprise Applications section. 


MOREINFO AZURE AD APPLICATIONS AND SERVICE PRINCIPALS 


To learn more about Azure AD applications and service principals, see https://aka.ms/ 
S$C900_AADApp Objects. 


Describe the different external identity types (guest users) 


Most companies’ business models require them to work with external identities. This can be 

in the shape of business partners, distributors, suppliers, or vendors. Previously in this type of 
scenario, an external Active Directory forest would be used, and the business partner would 

be given a separate account in that forest. This presented a couple of challenges. First, because 
these identities were not the business partners’ main corporate identities, they would fre- 
quently forget their passwords, which would increase help desk calls. Second, when this busi- 
ness partner would leave their company, they would still have an account in the external Active 
Directory forest unless a separate notification process had been set up (which is rare). The busi- 
ness partner would still be able to log in and access resources, even if they shouldn't be able to. 
Azure AD business-to-business (B2B) solves both issues. 


Azure AD B2B focuses on enabling collaboration between companies. For example, let's 
consider an airline that designs and sources parts from many different companies. These 
business partners frequently need to work on a document or access other resources hosted 
by the airline. Azure AD B2B facilitates this collaboration and solves the two problems above 
by inviting their corporate identity into your tenant as a guest user, as shown in Figure 2-12. 
The only thing needed for this to work is the corporate entity’s email. Access to resources in 
your tenant would be controlled just like it would for other users, including the ability to apply 
conditional access policies to these guest accounts. All authentication for the guest user takes 
place in their home directory. The airline would invite its supplier into their tenant to work on a 
document. Before the supplier company user could access the document, they would authenti- 
cate in their home tenant. If the authentication is successful and passed the Conditional Access 
requirements, the supplier would have access to whatever was granted to them in the airline 
company’s tenant, which in this case, is the document. 


This solves the first password problem because the supplier is using their current corporate 
credentials, not an additional account they must remember when they use it. Any password 
resets would need to take place in their home directory for their main corporate account, 
just like they would do today if they forgot their password. It also solves the second problem 
because if the partner left their company, their corporate account would be terminated. 

They would not be able to successfully authenticate and access any of your organization’s 
resources. 
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Home > Default Directory > Users > 


New user -- x 
Default Directory 


QD Got feedback? 


© Create user @ Invite user 
Create a new user in your organization. This Invite a new guest user to 
user will have a user name like collaborate with your organization. 
alice@markmorowhotmail.onmicrosoft.com. The user will be emailed an 
| want to create users in bulk invitation they can accept in order to 


begin collaborating. 
| want to invite guest users in bulk 


Help me decide 

Identity 

Name © Nicholas DiCola v 
Email address * © Nicholas@company.com v 
First name Nicholas v 
Last name DiCola v 


Personal message 


Nicholas, 
Super excited to work on this project with you. You should have access to 
the SharePoint site with all the documents to get started. Let's catch up 


next week once you are settled in. 


-Mark 


Groups and roles 


Groups 0 groups selected 
Roles User 
Settings 


FIGURE 2-12 Azure AD B2B invite 


MOREINFO B2B INVITE AND REDEMPTION 


To learn the different ways B2B users can redeem invitations, see https://aka.ms/ 
SC900_B2BRedemption. 
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External identities can also be customers who are purchasing products or services. Tradi- 
tionally, the customers would need to create an account on the website to complete the order. 
This can be frustrating for the customer because they now must create an account on each site 
from which they want to buy goods or services. This is the traditional Customer Identity and 
Access Management (CIAM) scenario, where Azure AD Business-to-Consumer (B2C) comes 
into play to help with this problem. 


Azure AD B2C focuses on your business customers. In our airline example, this would be the 
person buying a flight from the airline. This person would use a B2C account to complete their 
purchase. Azure AD B2C is a separate directory from your corporate Azure AD directory and 
can scale to millions of users. Azure AD B2C branding is fully customizable per application or 
organization. Typically, this type of customization and flexibility will require a developer who 
understands web technologies such as HTML, CSS, and JavaScript. 


Another aspect of Azure AD B2C is that it can support other consumer identities, such as a 
Microsoft Account (MSA), a Google account, or Facebook. This way, when buying a ticket from 
the airline, the user wouldn't need to create a new account. Instead, the user could use one 
of their other accounts to authenticate. It’s really up to the business to decide which accounts 
they want their customers to use. 


MOREINFO AZURE AD B2B AND AZURE AD B2C 


To compare all the features in Azure AD B2B and Azure AD B2C, see https://aka.ms/ 
SC900_B2BAndB2C. 


Skill 2-2: Describe the authentication capabilities 
of Azure AD 


This objective deals with the authentication capabilities of Azure Active Directory. You will 

learn the ways we can prevent users from using weak passwords in both your Azure Active 
Directory and Active Directory. You'll also learn about self-service password reset, which is one 
of the easiest ways to reduce help desk call volumes, increase security, and increase user flex- 
ibility and satisfaction. Then we'll focus on multifactor authentication—what it means and what 
methods are available for users. Finally, we'll discuss passwordless authentication methods such 
as Hello for Business and the authenticator app, which significantly increase both security and 
the user experience. 


Describe the different authentication methods 

Azure Active Directory provides multiple authentication methods for users. The most common 
one is passwords. While many people are familiar with this method, we saw in the identity 
principles and concepts section that many of the most common attacks involve the use of 
passwords. Passwords need to be strengthened where possible and paired with stronger 
factors until they can be removed entirely. 
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Later in this section, we'll go into more detail about MFA methods, but multifactor authen- 
tication is some combination of something you know, something you have, or something you 
are. The following factors satisfy the something you have requirement: a phone call, a text 
message, a hardware token, a software token with a one-time passcode (OTP), or a Microsoft 
Authenticator app push notification. Combining a password with one of these methods will 
greatly increase your security posture and is really the minimum-security bar organizations 
should reach in a modern environment. 


The latest and strongest authentication methods are passwordless authentication methods 
(which are a form of multifactor authentication that no longer requires a password). These 
include Windows Hello for Business, FIDO2, and the Microsoft Authenticator app. To register 
for a passwordless authentication, these credentials need to be bootstrapped by leveraging 
MFA ora Temporary Access Pass (TAP). A TAP is a time-limited passcode that is issued by an 
admin and satisfies strong authentication requirements. A TAP can be used to register pass- 
wordless credentials. 


In this section, we'll go into more detail about how we can strengthen passwords and MFA 
and passwordless credentials such as Hello for Business. 


Describe password protection and management capabilities 


At this point, it should be obvious that passwords are one of the weakest security links we have 
in our organizations. As much as wed like to remove passwords altogether, that isn’t practi- 
cal for most environments. However, there are several things we can do today to strengthen 
the passwords we use. First, the password policies set by organizations put people into 
predictable patterns for password use. As we saw with the password spray attack, having 

users change their passwords every 30 days can lead to users setting their password to the 
MonthYearSpecialCharacter (for example, September20201!) pattern. Often, quarterly password 
changes result in users creating passwords that match the seasons. This should be changed 
from a policy perspective to require stronger passwords that are changed less frequently. 


Another way to stop these easily guessable passwords is to leverage Azure AD Password 
Protection, which detects and prevents easily known passwords from being used through 
a global banned list, which is a custom list that an organization controls and uses a scoring- 
based system. Azure AD Password Protection can be set in audit mode or enforced mode, 
which allows you to see how many passwords would have been blocked. This is a great way 
to show the need for enabling features with management. It works natively for cloud-based 
accounts and can be extended to on-premises accounts in Active Directory! 


MOREINFO ORGANIZATIONAL PASSWORD POLICIES 


For recommendations on password management, see https://aka.ms/ 
SC900_PasswordGuidance. 
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AZURE AD PASSWORD PROTECTION GLOBAL BANNED LIST 

The global banned list is updated and maintained by the Azure Active Directory team and is 
based on commonly used weak or compromised passwords. There is nothing to configure, 
update, or maintain from an organizational perspective. This list cannot be disabled either. This 
list is automatically applied during a password change or reset through Azure Active Direc- 
tory. This list will automatically be combined with the custom banned list when passwords are 
evaluated. 


AZURE AD PASSWORD PROTECTION CUSTOM BANNED LIST 

The custom banned list enables organizations to add banned passwords specific to their 
organization. This should include things like product and brand names, company locations, 
company-specific internal terms or abbreviations. It’s also good to add passwords that have 
local significance, such as local sports teams (see Figure 2-19). This list can hold a maximum 
number of 1,000 terms. The custom list is not meant to hold a large common password list 
like the irockyou list. Remember, the passwords must pass a scoring threshold. They are not 
banned outright just because they appear on the list. 


NOTE IROCKYOU LIST 


The irockyou list is a large list of commonly used passwords. Attackers use this list when 
attempting to guess a password. 


Figure 2-13 shows the Azure AD Password Protection screen. 


Home > Default Directory > Security > Authentication methods 


? Authentication methods | Password protection < 


Default Directory - Azure AD Security 


[e Search (Cmd+/) ] « Bl] save X Discard © Got feedback? 
Manage 

Custom smart lockout 
Policies Lockout threshold © 10 v 
? Password protection 

Lockout duration in seconds © 60 [v 
Monitorin, 

9 Custom banned passwords 
fii Activity Enforce custom list © « Yes No 
E User registration details 4 
a z Custom banned password list © Widgets v 
Registration and reset events Locations 
Sports Team 


& Bulk operation results 


Password protection for Windows Server Active Directory 


Enable password protection on Windows « Yes No 
Server Active Directory © 
Mode © CT Enored C Na O] 


FIGURE 2-13 Azure AD Password protection 
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HOW PASSWORDS ARE SCORED 

Passwords go through several steps during the scoring process. First, they go through a 
normalization process. All uppercase characters are changed to lower case, and all common 
character substitutions are performed (for example, in p@sswOrd the @ is changed to the letter a, 
and 0 (zero) is changed to a letter 0). Then the score for the password is calculated. First, fuzzy 
matching and substring matching is performed to see if the normalized password appears 

on the global or custom banned password list. For each password found in a user's password, 
one point is given. Then one point is given for each remaining character that is not part of the 
banned password. A password must get a score of 5 or above to be accepted. 


MORE INFO PASSWORD SCORING EXAMPLES 


For more examples of the scoring process, see https://aka.ms/SC900_PasswordScoring. 


AZURE ACTIVE DIRECTORY PASSWORD PROTECTION WITH ACTIVE DIRECTORY 

Azure Active Directory Password Protection can also be used with on-premises Active Direc- 
tory. The same global and custom list can be used for password resets or changes in Active 
Directory. At a high level, a password protection agent that includes a password filter .d11 is 
installed on each domain controller. This will also work with any existing password filters on the 
domain controller. This agent reaches out to the Azure Active Directory Password Protection 
Proxy service running on a domain member server. This protection proxy is what reaches out 
to Azure Active Directory to get the global and custom lists. You can now have the same global 
and custom list applied to password changes or resets in Azure Active Directory or Active 
Directory. This is a great way to increase your password strength across both on-premises and 
in the cloud. 


MOREINFO AZURE AD BANNED PASSWORD ACTIVE DIRECTORY INTEGRATION 


For details on how to implement the Active Directory integration, see https://aka.ms/ 
$C900_BannedPasswordADIntegration. 


Describe self-service password reset 


Password reset requests are one of the highest drivers of help desk calls, which eat up time 

and money. Users also dislike calling the help desk for anything, let alone for something as 
simple as a password reset. Finally, calling the help desk to reset a password is a method used 
by attackers to social engineer access into an account. They call with an urgent request, such as 
they don’t have time to go through the normal verification procedures when there is a million- 
dollar deal on the line, and they just want the password to be reset on the account. 


Azure Active Directory provides the ability for users to reset their own passwords. This 
applies to cloud-only accounts as well as hybrid accounts, where it would reset the on- 
premises Active Directory password. As an administrator, you can require users to pass one or 
two security gates before they can reset their passwords, as shown in Figure 2-14. 
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Home > Default Directory > Password reset 


Password reset | Authentication methods 


Default Directory - Azure Active Directory 


X Diagnose and solve problems 


Manage 
II! Properties 


©@ Authentication methods 


EE Notifications 
Ill Customization https://aka.ms/securityinfodocs. For additional help on using Authenticator app methods visit 
5# On-premises integration 


© Administrator Policy 


Activity 

@ Audit logs @ Users can register their mobile app at https://aka.ms/mfasetup or in the new security info registration experience at 
https://aka.ms/setupsecurityinfo. You can enable security info registration for your organization by following steps at 

fi Usage & insights https://aka.ms/securityinfodocs. For additional help on using Authenticator app methods visit 


Troubleshooting + Support 


2 New support request Email 


“= Registration 


Number of methods required to reset © 


= 
Methods available to users 


Mobile app notification 


fi) Users can register their mobile app at https://aka.ms/mfasetup or in the new security info registration experience at 
https://aka.ms/setupsecurityinfo. You can enable security info registration for your organization by following steps at 


https://aka.ms/authappsspr. 


Mobile app code 


https://aka.ms/authappsspr. 


© Mobile phone 

Office phone 

[|] Security questions 

@ These settings only apply to end users in your organization. Admins are always enabled for self-service password reset 


and are required to use two authentication methods to reset their password. Click here to learn more about 
administrator password policies. 


FIGURE 2-14 Azure AD SSPR Authentication Methods 


Administrator accounts can also leverage self-service password reset, but they always must 
pass two of the following security gates. 


Mobile app notification This can also be used as a multifactor authentication 
method. A user would get a push notification on the Microsoft Authentication app. They 
would need to approve it to satisfy this gate. This can also only be used when there are 
two gates required for SSPR. 

Mobile app code This can also be used as a multifactor authentication method. A 
user would need to enter the code they see in the mobile app in the password reset 
portal. 

Email address This should be a separate email address from the user's Microsoft 

365 Exchange Online email address. The user would need to have access to this email 
address and follow the instructions in the email. This method cannot be used for 
multifactor authentication. 

Mobile Phone This can also be used as a multifactor authentication method. The user 
will get a phone call or an SMS text message. 

Office Phone This can also be used as a multifactor authentication method. The user 
would need to answer the phone associated with their office phone. 
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= Security Questions These are only available to Azure AD self-service password reset 
and can only be used with accounts that have not been assigned administrative roles. 
Questions are stored on the user object in Azure AD and cannot be read or modified 
by an administrator. They should be used in conjunction with another method. A user 
must answer three, four, or five questions to pass this gate. This is configurable by the 
administrator. Azure AD includes the following predefined questions, and it is possible 
to create custom questions: 


In what city did you meet your first spouse/partner? 

In what city did your parents meet? 

In what city does your nearest sibling live? 

In what city was your father born? 

In what city was your first job? 

In what city was your mother born? 

What city were you in on New Year's 2000? 

What is the last name of your favorite teacher in high school? 
What is the name of a college you applied to but didn't attend? 
What is the name of the place in which you held your first wedding reception? 
What is your father’s middle name? 

What is your favorite food? 

What is your maternal grandmother's first and last name? 
What is your mother's middle name? 

What is your oldest sibling's birthday month and year? (for example, November 1985) 
What is your oldest sibling’s middle name? 

What is your paternal grandfather's first and last name? 

What is your youngest sibling's middle name? 

What school did you attend for sixth grade? 

What was the first and last name of your childhood best friend? 
What was the first and last name of your first significant other? 
What was the last name of your favorite grade-school teacher? 
What was the make and model of your first car or motorcycle? 
What was the name of the first school you attended? 

What was the name of the hospital in which you were born? 
What was the name of the street of your first childhood home? 
What was the name of your childhood hero? 

What was the name of your favorite stuffed animal? 


What was the name of your first pet? 
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m What was your childhood nickname? 

m What was your favorite sport in high school? 

m What was your first job? 

m What were the last four digits of your childhood telephone number? 
m When you were young, what did you want to be when you grew up? 


m Who is the most famous person you have ever met? 


MOREINFO AUTHENTICATION METHODS 
You can learn more about authentication methods at https://aka.ms/SC900_AADAuthMethods. 


Azure AD Self-service password reset can also reset the password of hybrid users in Active 
Directory. Azure AD Connect is required with password writeback enabled, as shown in 
Figure 2-15. In this scenario, the password reset is first written to an on-premises Active 
Directory. If it's successful, the user receives the message that their password has been success- 
fully changed. If password hash sync is enabled, the new password is synced to Azure Active 
Directory through Azure AD Connect. No other directory type supports writeback. 


@ Microsoft Azure Active Directory Connect 


Welcome Optional features 


Tasks a e paiia 
Select enhanced functionality if required by your organization. 


Connect to Azure AD 


Sync Exchange hybrid deployment @ 
Connect Directories Exchange Mail Public Folders @ 
Domain/OU Filtering Azure AD app and attribute filtering @ 
Optional ratna: Password hash synchronization @ 

Configure 


[7] Password writeback @ 


Group writeback @ 


Device writeback @ 


[C] Directory extension attribute sync (7) 


Learn more about optional features. 


FIGURE 2-15 Azure AD SSPR Password writeback enabled 


MOREINFO SELF-SERVICE WRITEBACK 
You can learn more about how SSPR writeback works at https://aka.ms/SC900_SSPRWriteback. 
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Azure AD self-service password reset also is integrated with the Windows 10 lock screen, as 
shown in Figure 2-16. For the user to log in to the workstation after resetting their password 
through Azure AD SSPR, they would need network connectivity to a domain controller, either 
through the corporate network or the VPN. This does not update the local cached credentials 
on the workstation. 


Other user 


Reset password 
Sign in to: Contoso 


How do | sign in to another domain? 


FIGURE 2-16 Azure AD SSPR enabled at the Windows lock screen 


MOREINFO SELF-SERVICE PASSWORD RESET LOCK SCREEN DEPLOYMENT 


You can learn more about deploying Azure AD SSPR at the Windows lock screen at https://aka. 
ms/SC900_SSPRLockScreen. 


Describe multifactor authentication 


As described earlier, multifactor authentication requires a user to authenticate with two or 
more different factor types. These factor types are something you know (typically a password), 
something you have (typically a phone or other physical device), or something you are 
(biometrics). Having a user enter two different passwords would not count as multifactor 
authentication because passwords use the same type of factor—in this case, knowledge. Azure 
MFA includes several different authentication options. 


m Phone Theuser will get a phone call and must press a specific key, such as #, or they 
will get an SMS text message containing a code that they will need to enter into the log 
in screen. 
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= Mobile app notification The Microsoft Authenticator application receives a push 
notification from Azure MFA. The user sees the notification in which they must verify 
their authentication. The user approves it if the user performed the authentication or 
denies it otherwise. 

= Mobile app code/Software Tokens The Microsoft Authenticator app supports 
the Open Authentication (OATH) time-based, one-time password (TOTP) standard. 
The code rotates every 30 or 60 seconds. Other software tokens that support OATH- 
TOTP can also be used, as well as any other software authenticator apps that support 
OATH-TOTP. 

= Hardware Tokens OATH-TOTP SHA-1 tokens that refresh every 30 or 60 seconds can 
also be used. 

As you'll notice, there is some overlap between the methods available for SSPR and Azure 
MFA. Depending on the factors you've set up, users can register for both SSPR and MFA at the 
same time they are registering for either SSPR or MFA if you have enabled combined security 
information registration (see Figure 2-17). 


Home > Default Directory > 


User feature previews 


E Save X Discard 


Users can use preview features for My Apps © 


C None Selected All ) 


Users can use the combined security information registration experience © 


C None Selected END 


Administrators can access My Staff © 
C None Selected All ) 


FIGURE 2-17 Azure AD combined security information registration experience 


MOREINFO COMBINED SECURITY INFORMATION 


You can learn more about deploying the combined security information at https://aka.ms/ 
SC900_CombinedRegistration. 


To require users to perform Azure MFA when accessing a resource, make sure to configure 
the option in conditional access. (This will be covered in Skill 2-3.) Applications that leverage 
modern protocols such as WS-Fed, SAML, OAuth, and OpenID Connect and that are integrated 
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with Azure Active Directory can require MFA before they can be accessed. Also, applications 
connected to Azure Active Directory through Azure AD Application Proxy can leverage Azure 
MFA because the user is performing Azure MFA against Azure Active Directory before access- 
ing the application. This means the application doesn’t need to make any changes to take 
advantage of Azure MFA or any other conditional access controls. 


Finally, be mindful of over-prompting users. This can lead to MFA fatigue where they mis- 
takenly accept an MFA prompt that was generated by an attacker, which defeats the purpose 
of MFA altogether. Another method is to leverage a passwordless technology like Windows 
Hello For business or FIDO2 at sign-in to the workstation. This would satisfy any future MFA 
prompts because strong authentication is being performed at sign-in. MFA is really the bare 
minimum that can be done today, but the direction you should be moving to is passwordless 
authentication. It’s the strongest form of authentication and provides the best user experience. 
It's truly a win-win. 


EXAM TIP 


Make sure you understand what makes up MFA and the methods that can be used for MFA 
authentication (phone, text, Authenticator app, and a hardware token). 


Describe Windows Hello for Business and passwordless 
credentials 


Passwordless credentials are the latest form of strong authentication providing the best bal- 
ance between user experience and security. They authenticate the user by combining MFA 
methods— something you have (the device), something you know (in this case, a PIN tied 
to the device), or something you are (biometrics). Biometrics include fingerprint or facial 
recognition. 


NOTE PIN VERSUS PASSWORD 


The important thing to understand that separates a PIN from a password is that a PIN can only 
be used on that device where it’s registered. A password could be used anywhere. This is a 
huge security improvement because knowing the PIN is only valuable to the attacker if they 
have that specific device. 


Also, because the user is performing MFA on sign-in to the device, their authentication 
token will reflect that they've already completed MFA. That means future MFA challenges are 
automatically satisfied when this token is used, which will drastically cut down on the MFA 
prompts the user would normally see without compromising the security. This makes for a 
great user experience and prevents over-prompting for MFA. There are three types of pass- 
wordless credentials in Azure Active Directory: Windows Hello for Business, Microsoft Authen- 
ticator app, and FIDO2. 
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Windows Hello for Business is a great passwordless solution for when a user uses the same 
device every day. Think of your traditional information worker who is assigned a workstation 
that only they use. To use Windows Hello for Business, a user must complete Windows Hello for 
Business registration, as shown in Figure 2-18, by performing strong authentication. During this 
registration process, the user would create their PIN and optionally enroll in biometrics, such 
as fingerprint or facial recognition if the device hardware supports it and is configured to do so 
by the administrator. A public/private key is also generated with the private key being stored in 
the Trust Platform Module (TPM) chip. The user logs in by either entering their PIN or using a 
biometric method. This act unlocks the TPM chip to access the private key. Windows then uses 
the private key to authenticate the user with Azure AD. 


Use Windows Hello with your account 


Your organization requires you to set up your work or school account with Windows Hello Face, 
Fingerprint, or PIN. 


If you've already set up Windows Hello on this device, we'll automatically add it for this account. You 
may be asked to re-verify with Windows Hello. 


If your organization requires a more complex PIN, Windows will prompt you to change it. 


FIGURE 2-18 Windows Hello for Business registration screen 


There are two important things to understand about this process. 


m First, the PIN and biometrics (if used) never leave the device. They aren't stored in Azure 
AD and do not roam to any other devices. They are completely local to the device where 
registration took place. 


m Second, the PIN and biometrics are not used to authenticate the user to Azure AD. This 
is acommon misconception. The private key is used to do the authentication. The PIN 
and biometrics are used to unlock the TPM to access the private key. The private key 
(protected by the TPM) is used to authenticate the user to Azure AD, NOT the PIN or 
biometric. 
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The user sign-in experience can be seen in Figure 2-19. 


Mark 


| forgot my PIN 


Sign-in options 


AN 


FIGURE 2-19 Windows log in screen with Windows Hello for Business pin 


MORE INFO WINDOWS HELLO FOR BUSINESS 


To understand the finer details of the Windows Hello for Business registration and authentica- 
tion process, see https://aka.ms/SC900_H4BDeepDive. 


The second passwordless factor is the Microsoft Authenticator app. This works well for sce- 
narios in which the user is using a non-corporate device, such as a personal/home machine or a 
non-windows device (Mac or Linux workstation). The user must have the Microsoft Authentica- 
tor installed on their mobile device. They then complete the enable phone sign-in process in the 
Authenticator app. The phone sign-in process requires a user to match the number on the screen 
at sign-in, as shown in Figure 2-20, with the number on the device, as shown in Figure 2-21. 
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EE Microsoft 
< yuri@markmorowhotmail.onmicrosoft.com 
Approve sign in 


6 Open your Microsoft Authenticator app and tap 
the number you see below to sign in. 


36 


Use your password instead 


FIGURE 2-20 Passwordless number match sign-in seen by the user. 


No Service = 


Approve sign-in? 


Enter the correct number to sign in. 
yuri@markmorowhotmail.onmicrosoft.com 


98 


36 


FIGURE 2-21 Passwordless number match on the Authenticator app 
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Finally, we have the FIDO2 credentials, which is an open standard supported by the FIDO 
alliance. FIDO2 authentication works best in a one-to-many machine scenario or where mobile 
phones are not allowed for safety or security reasons. For example, a manufacturing floor 
might have a handful of machines for workers to log hours, check benefits, or check email. 
They might use a different machine each time. They also may not be allowed to bring ina 
mobile phone. FIDO2 has many different form factors of devices besides the traditional USB 
key, such as RFID badges. FIDO2 registration and authentication work very similar to Windows 
Hello for Business, except the private key is stored on the FIDO2 device itself (rather than on 
the TPM of the computer). As with the TPM, this private key is designed never to be exported 
from that FIDO2 device. 


MOREINFO FIDO ALLIANCE AND FIDO2 SPECIFICATIONS 


To learn more about the FIDO Alliance members and the protocol details of FIDO2, see 
https://aka.ms/SC900_FIDO2. 


EXAM TIP 


The Hello for Business biometrics and PIN never leave the device itself. They are not stored 
in Azure AD or any other device. They are only stored on the device that Hello for Business 
registration was successfully completed on. 


Skill 2-3: Describe the access management capabilities 
of Azure AD 


This objective deals with access management capabilities of Azure Active Directory. Conditional 
access is the main driver of access in Azure Active Directory. You'll learn the different configuration 
options available in conditional access, as well as common conditional access policies. You'll also 
learn about the built-in Azure AD roles and following the model of least privilege. 


Describe what conditional access is 


Conditional access is the main decision engine and enforcement point and the ultimate driver 
of the identity as the primary security perimeter, as discussed in the “Identity principles and 
concepts” section. As an administrator, you can combine different requirements, such as who 
the user is, groups or roles they belong to, what type of device they are coming from, which 
application they are using, what the user risk level is, and where they are coming from to deter- 
mine if they are allowed access, denied access, or must perform additional authentication like 
multifactor authentication before they can access the resource. These checks are performed 
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each time a new authentication is performed against Azure AD. A denied message is shown in 
Figure 2-22, which will be displayed if the authentication attempt does not meet the require- 
ments of the conditional access policy. 


Conditional access also works with other M365 features such as Microsoft Cloud Application 
Security (MCAS) for additional security to monitor sessions and activities performed within 
that session after authentication. Conditional access gives administrators great flexibility to 
ensure that the organization's assets and resources are protected at the security levels desired. 
Conditional access also ensures that the workforce is still able to work wherever and whenever 
they are. 


EE Microsoft 
mark@markmorowhotmail.onmicrosoft.com 


You can't get there from here 


This application contains sensitive information and 
can only be accessed from: 


e Default Directory domain joined devices. Access 
from personal devices is not allowed. 


You need to be signed in to Microsoft Edge with the 
work or school account shown above. To sign in, click 
on your account image. Learn More 


If you're not planning to do this right now, you 
might still be able to browse to other Default 
Directory sites. Otherwise, sign out to protect your 
account. 


Sign out and sign in with a different account 


More details 


FIGURE 2-22 Conditional access policy message when the policy requirements are not met 


Describe uses and benefits of conditional access 


Conditional access gives the administrator very granular control to ensure users meet the 
organization's security requirements to access Azure AD-protected resources. There are many 
different configuration choices to meet various scenarios (see Figure 2-23). 


Skill 2-3: Describe the access management capabilities of Azure AD C 2 55 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


56 


Con 


deci 


Home > Default Directory > Security > Conditional Access > 


New 


Conditional access policy 


trol user access based on conditional 


access policy to bring signals together, to make 


sions, and enforce organizational policies. 


Learn more 


Name * 


Example: 'Device compliance app policy' 


Assignments 


Users and groups © 


0 users and groups selected 


Cloud apps or actions © 


No cloud apps or actions selected 


Coni 


ditions © 


0 conditions selected 


Acc 


ess controls 


Grant © 


0 controls selected 


Session © 


0 controls selected 


Enable policy 


( Report-only On Off ) 


Create 


FIGURE 2-23 Conditional access policy options 


The configuration options shown in Figure 2-23 are as shown here: 


Name A name for the conditional access policy 
Users And Groups Users, groups, or roles that the policy applies to. 


Cloud Apps Or Actions Which cloud apps or user actions the policy applies to. Poli- 
cies can apply to some or all applications. You can also specify specific user actions that 
will trigger the conditional access policy, such registering for multifactor authentication. 


Conditions The conditions in which the associated policy will apply. These include 
user risk, sign-in risk which we will cover more specifically in Skill 2-4, “Describe the 
identity protection and governance capabilities of Azure AD.” You can also determine 
device platforms the policy will apply to, such as Windows, Android, iOS, or macOS. You 
can also determine which location the policy should apply to if you are coming from 
off the corporate network or a specific geographic location configured in your Named 
Networks settings. You can also determine which client apps this policy will apply for. 
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Does it apply to modern authentication clients like a browser, mobile apps, and desktop 
clients? Or does this policy apply to legacy authentication clients like ActiveSync? Finally, 
what is the device state to which this policy applies, such as is the device hybrid Azure 
AD-joined or marked as compliant? 


= Access Controls This can bea block control that would prevent access if the policy 
were applied, or it can be a grant control if the user passes the controls specified. These 
grant controls include: 


Requiring the user to satisfy MFA. 
Access from an Intune-compliant device. 
Access from a Hybrid Azure AD-joined device. 


For mobile use, an approved client app that does modern authentication, such as 
Outlook Mobile. 


For mobile use, an app protection policy means the application is mobile applica- 
tion managed (MAM) in Intune, preventing corporate data from being moved to 
non-corporate resources. For example, you cannot save an attached Word document 
from your corporate email to a personal OneDrive account; it can only be saved toa 
corporate OneDrive account. 


Force the user to perform a password change. This is used with the user risk score. 


m Session controls that can enable limited user experience with specific cloud applications, 
such as: 


App-enforced restrictions that limit what can be done in Exchange Online and Share- 
Point Online. For example, if you are coming from a non-corporate device, you can 
only read items on SharePoint Online, but you cannot download them. 


Conditional access app control, which works with MCAS to monitor the session to 
prevent data exfiltration, protect sensitive data on download with Azure Information 
Protection, monitor for compliance, and block access altogether. 


Sign-in frequency defines the amount of time before a user is asked to sign-in again 
when attempting to access a resource. 


A persistent browser session enables a user to remain signed in after closing and 
reopening their browser window. 


m Enable Policy Can be set to Report Only, which you should use to determine how the 
policy will function before enforcing it (enabling or disabling the policy). 


EXAM TIP 


Make sure you understand the different configuration options when configuring a 


conditional access policy and what controls can be enforced on access. 


Multiple policies can be created. When a user signs in, all policies are applied. There is no 
preference order when it comes to conditional access policies. Planning and forethought 
should be used to strike the correct balance of securing the resources, enabling users to 
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access resources, and not having so many policies that management becomes unwieldy and 
confusing. 


MOREINFO CONDITIONAL ACCESS POLICY PLANNING 


To learn more about planning your conditional access deployment and best practices, see 
https://aka.ms/SC900_CAPlanning. 


Following are some common policies that many organizations tend to configure with the 
above configuration choices: 


m Require MFA for Administrators 

m Block legacy authentication 

m Require MFA for all users 

m Require MFA for Azure Management 

m Require compliant devices 

m Block access by locations that the company doesn’t operate from or do business with 
m Require MFA when risk is detected 


m Require a company device or location when registering for MFA 


MOREINFO CONDITIONAL ACCESS RECOMMENDED POLICIES 


For recommended conditional access policies, see https://aka.ms/m365goldenconfig. 


Describe the benefits of Azure AD roles 


Azure AD has many built-in roles that allow the holder of that role to perform Azure AD man- 
agement tasks that a regular user cannot perform (see Figure 2-24). People should be assigned 
roles that satisfy the least privilege they need to complete the task. For example, if someone 
needs to administer the devices in Azure AD for the organization, they should use the Cloud 
Device Administrator role, not the Global Administrator role. Though the Global Admin- 
istrator role has the permissions needed to manage devices, it has far more privileges than 
necessary to perform the task of managing devices. This additional (unneeded) privilege could 
increase the damage of an inadvertent mistake by the admin or the damage of a compro- 
mised account by an attacker. Following the model of least privilege is one of three zero-trust 
principles. 
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User 


&. Assigned roles 

2 Administrative units 
Bk Groups 

EE Applications 

& Licenses 

Gi Devices 

© Azure role assignments 
@ Authentication methods 
Activity 

Ə Sign-ins 


HB Audit logs 


Troubleshooting + Support 


Home > Default Directory > Users 


&, Nicholas Dicola | Assigned roles 


« 


Nicholas Dicola 


++ Add assignments Ç) 


Role nN 


No directory roles assigned 


Directory roles 


Choose admin roles that you want to assign to this user. Learn more 


BOOLI 


Še Application developer 

le Attack payload author A 

Gp Attack simulation administrator A 

fp Authentication administrator 

D ; aay 

Ge Authentication policy administrator J 
le: Azure AD joined device local administrator 
lp Azure DevOps administrator 

Ge Azure Information Protection administrator 
Ge B2C IEF Keyset administrator 

Ge 82C IEF Policy administrator 

eo 

Se Billing administrator 

Ge Cloud application administrator 


Ge Cloud device administrator 


% Diagnose and solve problems | 9 Search by name or description +y Add filters 
Manage Administrative roles Role My Description 
Administrative roles can be u 
& Profile Ge Application administrator Can create and manage all aspects of app registrations and enterprise apps. 


Can create application registrations independent of the 'Users can register applic. 
Can create attack payloads that an administrator can initiate later. 

Can create and manage all aspects of attack simulation campaigns 

Has access to view, set, and reset authentication method information for any non. 
Can create and manage all aspects of authentication methods and password prot. 
Users assigned to this role are added to the local administrators group on Azure 
Can manage Azure DevOps organization policy and settings. 

Can manage all aspects of the Azure Information Protection product. 


Can manage secrets for federation and encryption in the Identity Experience Fra... 


Can create and manage trust framework policies in the Identity Experience Frame... 


Can perform common billing related tasks like updating payment information, 
Can create and manage all aspects of app registrations and enterprise apps exce. 


Full access to manage devices in Azure AD. 


B New support request oe 


Details Ge) 


FIGURE 2-24 Azure AD Roles available to assign to the user 


A good analogy is to think about the way a submarine is designed. A leak in one area of the 
hull is contained to that area and doesn't sink the entire ship. Roles following the principle of 
least privilege work in a similar matter. The Cloud Device Administrator role cannot delete 
the directory like a Global Administrator can. Always follow the principle of least privilege. 
The following built-in roles exist in Azure AD: 


Application Administrator 
and enterprise apps 


Can create and manage all aspects of app registration 


Application Developer Can create application registrations independent of the 
Users Can Register Applications setting 


Attack Payload Author 
ate later 


Can create attack payloads that an administrator can initi- 


Attack Simulation Administrator 
simulation campaigns 


Can create and manage all aspects of attack 


Authentication Administrator Can access the view, set, and reset authentication 
method information for any non-admin user 


Authentication Policy Administrator Can create and manage all aspects of 
authentication methods and password protection policies 


Azure AD Joined Device Local Administrator Users assigned to this role are 
added to the local administrators group on Azure AD-joined devices. 


Azure DevOps Administrator Can manage Azure DevOps organization policy 
and settings 


Azure Information Protection Administrator Can manage all aspects of the 
Azure Information Protection product 
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B2C IEF Keyset Administrator Can manage secrets for federation and encryption 
in the Identity Experience Framework (IEF) 


B2C IEF Policy Administrator Can create and manage trust framework policies in 
the Identity Experience Framework (IEF) 


Billing Administrator Can perform common billing-related tasks like updating 
payment information 


Cloud Application Administrator Can create and manage all aspects of app 
registrations and enterprise apps except App Proxy 


Cloud Device Administrator Limited access to manage devices in Azure AD 


Compliance Administrator Can read and manage compliance configuration and 
reports in Azure AD and Microsoft 365 


Compliance Data Administrator Creates and manages compliance content 
Conditional Access Administrator Can manage conditional access capabilities 


Customer LockBox Access Approver Can approve Microsoft support requests to 
access customer organizational data 


Desktop Analytics Administrator Can access and manage desktop management 
tools and services 


Directory Readers Can read basic directory information. Commonly used to grant 
directory read access to applications and guests 


Directory Synchronization Accounts Only used by the Azure AD Connect service 


Directory Writers Can read and write basic directory information and is used for 
granting access to applications (not intended for users) 


Domain Name Administrator Can manage domain names in the cloud and 
on-premises 


Dynamics 365 Administrator Can manage all aspects of the Dynamics 
365 product 


Exchange Administrator Can manage all aspects of the Exchange product 


Exchange Recipient Administrator Can create or update Exchange Online 
recipients within the Exchange Online organization 


External ID User Flow Administrator Can create and manage all aspects of user 
flows 


External ID User Flow Attribute Administrator Can create and manage the 
attribute schema available to all user flows 


External Identity Provider Administrator Can configure identity providers for 
the user in a direct federation 


Global Administrator Can manage all aspects of Azure AD and Microsoft services 
that use Azure AD identities 
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Global Reader Can read everything that a Global Administrator can, but not 
update anything 


Groups Administrator Members of this role can create/manage groups, create/ 
manage group settings like naming and expiration policies, and view groups’ activity 
and audit reports 


Guest Inviter Can invite guest users independent of the Members Can Invite 
Guests setting 


Helpdesk Administrator Can reset passwords for non-administrators and 
Helpdesk Administrators 


Hybrid Identity Administrator Can manage AD to Azure AD cloud provisioning, 
Azure AD Connect, and federation settings 


Insights Administrator Has administrative access to the Microsoft 365 Insights 
app 

Insights Business Leader Can view and share dashboards and insights via the 
M365 insights app 


Intune Administrator Can manage all aspects of the Intune product 
Kaizala Administrator Can manage settings for Microsoft Kaizala 


Knowledge Administrator Can configure knowledge, learning, and other 
intelligent features 


License Administrator Can manage product licenses on users and groups 


Message Center Privacy Reader Can read security messages and updates in 
Office 365 Message Center only 


Message Center Reader Can read messages and updates for their organization in 
Office 365 Message Center only 


Modern Commerce User Can manage commercial purchases for a company, 
department, or team 


Network Administrator Can manage network locations and review enterprise 
network design insights for Microsoft 365 Software as a Service (SaaS) applications 


Office Apps Administrator Can manage Office apps cloud services, including 
policy and settings management, and it can manage the ability to select, unselect, 
and publish “what's new” feature content to users’ devices 


Password Administrator Can reset passwords for non-administrators and Pass- 
word Administrators 


Power BI Administrator Can manage all aspects of the Power BI product 


Power Platform Administrator Can create and manage all aspects of Microsoft 
Dynamics 365, PowerApps, and Microsoft Flow 


Printer Administrator Can manage all aspects of printers and printer connectors 


Printer Technician Can register and unregister printers and update printer status 
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= Privileged Authentication Administrator Can access the view, set, and reset 
authentication method information for any user (admin or non-admin) 


= Privileged Role Administrator Can manage role assignments in Azure AD and all 
aspects of Privileged Identity Management 


m Reports Reader Can read sign-in and audit reports 


= Search Administrator Can create and manage all aspects of Microsoft Search 
settings 


= Search Editor Can create and manage the editorial content, such as bookmarks, 
Q&As, locations, and floorplans 


= Security Administrator Can read security information and reports and manage 
configuration in Azure AD and Office 365 


= Security Operator Creates and manages security events 


m Security Reader Can read security information and reports in Azure AD and Office 
365 


= Service Support Administrator Can read service health information and manage 
support tickets 


= SharePoint Administrator Can manage all aspects of the SharePoint service 


= Skype for Business Administrator Can manage all aspects of the Skype for 
Business product 


= Teams Administrator Can manage the Microsoft Teams service 


= Teams Communications Administrator Can manage calling and meetings 
features within the Microsoft Teams service 


= Teams Communications Support Engineer Can troubleshoot communications 
issues with Teams using advanced tools 


= Teams Communications Support Specialist Can troubleshoot communications 
issues with Teams using basic tools 


= Teams Devices Administrator Can perform management-related tasks on 
Teams-certified devices 


m Usage Summary Reports Reader Can see only tenant-level aggregates in the 
Microsoft 365 Usage Analytics and Productivity Score 


m User Administrator Can manage all aspects of users and groups, including 
resetting passwords for limited admins 


MOREINFO AZUREAD ROLES MORE DETAILS 
To learn more about each Azure AD Role, see https://aka.ms/SC900_AADRoles. 
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Skill 2-4: Describe the identity protection and 
governance capabilities of Azure AD 


This objective deals with advanced security features and governance. All the functionality in 
this section requires an Azure AD Premium 2 license. You will learn why governance is impor- 
tant from both a security and productivity perspective, as well as common scenarios where you 
can implement governance practices. You will also learn about privilege identity management 
and how it can greatly reduce the risk related to administrative accounts. Finally, you will learn 
about identity protection and its risk signals and how they can be used to prompt users for 
MFA only when risk is detected. 


Describe what identity governance is 


Identity governance ensures the right people have the right access to the right resources over 
the full lifecycle of their accounts. This helps increase the security of the organization as well as 
enable productivity. Walking through a few scenarios will make the need for identity gover- 
nance clearer. 


A new employee starts at your company in the sales department. What resources should 
they have access to? Who determines this access? Who approves this access? How long does 
this process take? Let's say the employee asks their manager for help. The manager might put 
a request in with the help desk. The help desk now must pick up this request and process it. 
The employee might need to be added to multiple groups, sites, and applications. All these 
changes must be processed. This takes time, and the new hire isn’t productive until it happens. 
What if an application or SharePoint site was missed in the initial request by the manager or 
help desk? Now another request needs to be sent and manually processed. All the while, the 
employee can’t start their new job. 


Sometime later, this sales employee is ready to take on some new challenges and switches 
to ajob in engineering. A similar process as above takes place. However, as part of that 
request, nobody thinks to remove the previous access. Now the employee has access to all the 
resources for engineering and sales. Should they? Are there regulatory rules that require some 
of this data to be separate? Even though the employee didn't access the resource, can that be 
proven to an auditor? What about ethical rules between these two different data sets? 


This scenario also applies to administrator accounts where the damage can be even more 
drastic. Someone who was once a SharePoint administrator and who moves into a new role 
without having their old admin privileges removed might be able to see more information than 
they should be able to see in the environment. 


This also applies for external guest users. For example, let's say Contoso is partnering with 
another company ona very secret new product they will launch together. Should everyone 
at the partner company be able to access the SharePoint site where the secret documents are 
stored? Who is the right person to decide who at the partner company should be able to access 
them? If this is a long-running project, do people who completed their task at the beginning 
still need access at the very end? 
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These problems described are not unique to Contoso. These problems are also not new to 
the industry. You might have heard it previously described as identity lifecycle management, 
access lifecycle management, or joiner/mover/leaver (JML) process. Azure AD identity 
governance entitlement management and access reviews aim to help a company address 
these four questions: 

m Which users should have access to which resources? 
m What are those users doing with that access? 
m Are there effective organizational controls for managing access? 


m Can auditors verify that the controls are working? 


Describe what entitlement management and access 
reviews are 


Entitlement management resolves some of the previous challenges around identity and access 
management at scale using automation. It does this by automating access request workflows, 
access assignment, reviews, and handling expiration of access, which reduces the risk of for- 
getting or overlooking these important but manual tasks. The overview page of entitlement 
management can be seen in Figure 2-25. 


Home > Default Directory > 


, Identity Governance - x 
sa 


< Q Got feedback? 


t? Getting started 
Getting started Learn more 


Entitlement management 


© Access packages 


Efficiently and securely manage your digital identities 


©) Catalogs 

Aa Connected organizations Grant each person the right level of access to the resources they need with Azure Active Directory (Azure AD) 
=) Reports Identity Governance 

{t Settings 


Access reviews = 
© Overview X 
Eh Access reviews € 

Œ Programs 14 


Privileged Identity Management 


4: Azure AD roles Entitlement management Access reviews Privileged Identity Management 
Manage access lifecycle at scale by automating Enable certification campaigns for SaaS apps, Enable just-in-time and scheduled access, alerts, and 
$ Azure resources request workflows, assignments, reviews, and remove excessive access, block guest access, and approval workflows for Azure AD and Azure 
expiration. delete accounts. Resource roles. 
Terms of use 
EERE, EREE TEETE 


FIGURE 2-25 Identity Governance Overview 
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Entitlement management uses access packages. An access package enables you to doa 
one-time setup of resources and policies that automatically administers access for the life of 
the access package. You can think of it as a bundle of resources a user would need to work on 
a project or perform a task. Access packages work well when departments want to manage 
their own access without IT involvement—access that requires the approval by individuals like 
a manager, employees need time limited access for a particular task, and finally for external 
collaboration on a project with B2B guest users. 


Using the Contoso example we've used throughout this chapter, instead of trying to ensure 
all members of the sales department have access to the correct resources every time a new 
person is added to the sales department or when a new sales resource needs to be assigned 
to all users, we can have an access package for the sales department. This would bundle all the 
resources anyone working in sales would need. This makes sure that access is consistent for all 
sales department users and if a new resource needs to be added it could be added to this one 
access package. This would also scale out for other departments in Contoso. We could have 
another access package for engineering. Likewise, we could also have an access package for 
our secret partner project that includes those Azure AD B2B guest accounts. 


An administrator or a delegated access package manager can define what is included in 
an access package. This means a business unit can manage their own access policies for their 
resources without IT involvement. Each access package has a policy or multiple polices. This 
determines who can request access, who approves their request, and the expiration of access 
if the access is not renewed. Following are resources that can be managed with entitlement 
management: 


m Membership of Azure AD security groups 
= Membership of Microsoft 365 Groups and Teams 
= Membership to SharePoint Online sites 


m Assignment to Azure AD applications, which includes SaaS Apps or LOB apps 


MOREINFO AZURE AD ENTITLEMENT MANAGEMENT 


To learn more about each Azure AD entitlement management, see https://aka.ms/ 
S$C900_EntitlementMgmt. 


Another key aspect of governance is to make sure access is being reviewed periodically to 
ensure the people who no longer need access are removed. This is where access reviews can 
come into play. Access reviews, as seen in Figure 2-26, are used to review group member- 
ships, access to applications, and role assignments. These reviews can and should be done ona 
regular basis, such as weekly, monthly, quarterly, or annually. The reviewers of the membership 
can be the group owners or specified reviewers, or they can be a self-review by the members 
themselves. 
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Home > Default Directory > Identity Governance > 


New access review 
New to access reviews? Click here to learn more. 


Review type Reviews Settings Review + Create 


Step 1: Select what to review 


@ Teams + Groups © Applications 
Review user membership to Review user assignment to 
teams + groups applications 


Step 2: Select which Teams + Groups 
© All Microsoft 365 groups with guest users 


Q Select teams + groups 


Select group(s) to exclude 


Step 3: Select review scope 


© Guest users only 


FIGURE 2-26 New Access Review for Guest users 


At the beginning of this section, we used a very common example in which an administra- 
tor changes roles, but their previous administrator permissions were not removed. This is one 
of the most important areas to focus on because of the power administrative access has in the 
environment. Periodically performing an access review to see who has been assigned to privi- 
lege roles is critical and is an excellent use case for access reviews. 


Another important thing consider regarding access reviews is who has access to business- 
critical data. Requiring users to self-review and provide the reason why they still need access to 
it aids in the auditing purposes. This is especially useful for Azure AD B2B guest accounts who 
might not be part of the regular IAM process. 


Another excellent use of access reviews is the periodic review of users who are on an excep- 
tion list for a company-wide policy. For example, let's say you've applied an Azure AD condi- 
tional access policy to all business units in the environment to block legacy authentication. 
Further, let's say that some people who might not be able to comply with the policy have been 
granted an exception from the policy for a short period of time. Perhaps they were running 
an older version of Outlook and were getting an upgraded version in seven weeks. Someone 
would have to remember to remove them from this exception list in seven weeks. With access 
reviews, the exception list can be reviewed at regular intervals to ensure that users are not 
permanently exempt. If they need to continue to be exempt, a justification is provided. Again, 
this helps with the audit trail. 
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Access reviews should be used any time automation isn’t used for group membership or 
when the group is being reused for a new purpose. If there is no automation, the membership 
will get stale. Access reviews will help ensure only the correct people have membership in the 
group. When groups are used for different purposes than originally intended, it’s a good prac- 
tice to review the membership, and members should be removed based on this new purpose. 


MOREINFO ACCESS REVIEWS 


To learn more about Access Reviews, see https://aka.ms/SC900_AccessReviews. 


Describe the capabilities of PIM 


Privileged Identity Management (PIM), as seen in Figure 2-27, allows you to removing stand- 
ing admin access where accounts are permanent members of the group. PIM implements 
time-based and approval-based activation of administrative roles which greatly reduces the 
exposure for the most privileged accounts in the environment. 


Home > Default Directory > Identity Governance > 


B, Privileged Identity Management | Quick start > - x 
Privileged Identity Management 
b @ You are using the updated Privileged Identity Management experience for Azure AD roles. > 
B. Quick start 
What's new Get started 
Tasks 
Š My roles 
Rivas Manage your privileged access 


E Approve requests 
Use Privileged Identity Management to manage the lifecycle of role assignments, enforce just- 
ta Review access in-time access policy, and discover who has what roles. Learn more ci 


Manage 


& Azure AD roles 


2% Privileged access groups (Preview) wt e ( } w 
wl a ee 


& Azure resources 
== © x . 


& Myaudit history P 


Troubleshooting + Support 


Manage access Activate just in time Discover and monitor 
X Troubleshoot Users with excessive access are vulnerable in the Reduce the potential for lateral movement in the It is common for access to critical resources to go 
m event of account compromise. Ensure your event of account compromise by eliminating undetected. Ensure you know who has access to 
& New support request i = 
organization manages to least privilege by persistent access to privileged roles and what, and receive notifications when new 
periodically reviewing, renewing, or extending resources. Enforce just in time access to critical assignments are granted to accounts in your 
access to resources. roles with PIM. organization. 
| Manase | | nawa | 


FIGURE 2-27 Privilege Identity Management 


For example, you could configure PIM so that a help desk support staff member only has the 
right to change a user's password for a maximum of 60 minutes once their request for that 
right has been approved by a specific authorized administrator. PIM differs from earlier admin- 
istrative models where a help desk support staff members typically can change Azure AD user 
passwords at any time, even when they didn’t need it. PIM enables you to do the following: 


= Configure just-in-time privileged access to Azure AD and Azure resources. Just-in-time 
access is limited to an amount of time (1 hour, 4 hours, 8 hours, and so on), rather than 
allowing permanent access to those resources. 
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Assign time-bound access to resources using start and end dates. For example, if main- 
tenance is going to start on Saturday from 9 PM to 6 AM, this can be prescheduled, so 
the admin has their elevated rights during this time. 


Require approval from another administrator, user, or group when activating privileged roles. 
Require multifactor authentication to occur before role activation. 


Require users to provide recorded written justification of why they need to perform 
activation. This allows auditors at a later stage to correlate the administrative activity 
that occurs with the stated reason for providing privileged access. 


Provide notifications, such as email alerts sent to a distribution list, when privileged 
roles are activated. 


Provide notifications when a privileged role is assigned outside of PIM. 


Perform access reviews to determine how often privileges are used and whether specific 
users still require roles. 


Export an audit history that can be examined by internal or external auditors. 


Describe Azure AD Identity Protection 


Azure AD Identity Protection is the advanced identity security capabilities of Azure AD. There are 


three aspects to Identity Protection: the console, the polices, and the risk events themselves. 


The Identity Protection console seen in Figure 2-28 is used for investigation of risk events. This 
provides an organizational view of the risky users, new risky users, new risky sign-ins, and users 


who are not protected by any risk policies. 


Home 


o Identity Protection | Overview 2 x 


© Retresh | D Got feedback? 


Date range = 30 days 


New risky users detected © User risk level = All 


High risk users fo Unprotected risky sign i... © 


Configure user risk policy > 


News alay daara danten Sign-in risk type = Real-time Sign-in risk level = All 


2 New support request 


os 


Is [57 


Configure sign-in risk policy > 


lo” 


FIGURE 2-28 Identity Protection Overview 
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However, the real power is in the automating and remediation of identity-based risks through 
policies. These automation polices can be configured in Identity Protection or as part of a 
conditional access policy. There are two different types of polices: 


m Sign-in risk policies represents the probability that a given authentication request 
isn't authorized by the identity owner. If a sign-in is determined to be risky, admin- 
istrators can specify whether to block access or allow access but require multifactor 
authentication. 


m User risk represents the probability that a given identity or account is compromised. It 
is the aggregate risk for the user. User risk policies allow administrators to block access, 
allow access, or allow access but require a password change with MFA when the policy is 
triggered. 


Finally, there are the actual risk events themselves. There are two categories of risk events— 
user risk events that are calculated offline and sign-in risk events that are real-time and offline. 


These user risk alerts include the following: 


m Leaked credentials That the user's clear text username and password credentials 
have been discovered in a data breach either on the dark web or through other means. 


= Azure AD threat intelligence The user activity that is unusual for the given user and 
is consistent with known attack patterns based on Microsoft's internal or external threat 
intelligence sources. 


These sign-in risk alerts include the following: 
= Anonymous IP Address When a user signs in from an anonymous IP address. While a 


user might be using an anonymizing VPN to access organizational resources, attackers 
also use tools such as TOR nodes when launching compromise attempts. 


m Atypicaltravel When a user's account sign-in indicates they have performed unusual 
shifts in location with at least one of the locations is considered atypical for that user. 
This could include a user signing in from London and then New Orleans in a two-hour 
period, when the flight between the two cities takes much greater than that amount of 
time. 


= Malware-linked IP address When the IP address the user is signing in from is known 
to be part of a malware botnet or has in the past exhibited other malicious network 
activity. 

= Unfamiliar sign-in properties When a user's sign-in properties differ substantially 
from those that have been observed in the past. 


= Admin-confirmed user compromise This indicates that an administrator has 
selected Confirm User Compromised, either through the portal or the riskyUsersAPI. 


= Malicious IP address sign-in from a malicious IP address based on high failure rates 
of invalid credentials or other IP reputation sources. 
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= Password spray When multiple usernames are attacked using a common password. 
This is triggered when a password spray has been performed. 


= Suspicious inbox manipulation rules This comes from Microsoft Cloud App Security 
(MCAS) when suspicious rules that delete or move messages are set on the user's inbox. 


= Impossible travel This comes from MCAS when two user activities in a single session 
or multiple session occur from geographic distant locations. Similar to the atypical travel 
event. 


= Newcountry This comes from MCAS and considers past activity locations to 
determine new and infrequent locations. 


= Activity from anonymous IP Address This comes from MCAS and is similar to 
Anonymous IP address risk event. 


= Suspicious inbox forwarding This comes from MCAS and looks for suspicious email 
forwarding rules. 


MOREINFO IDENTITY PROTECTION RISK GENERATION 


To generate your own identity protection risk events, see https://aka.ms/ 
S$C900_IdentityProtectionGenerateRisk. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Identity and access at Contoso 


You are one of the Azure AD administrators for Contoso, an online general store that 
specializes in a variety of products for around the home. As a part of your duties for 
Contoso, you have added a new SaaS application from the gallery in your Azure AD 
tenant. Contoso cares greatly about the security of its environment. Contoso needs to 
make sure users are performing MFA or are coming from a trusted device before they 
can access this new application. However, the company hasn't had its users register for 
MFA yet. Password resets are causing a high volume of calls to their help desk, which 

is expensive. The Contoso CISO would like users to be able to perform self-service 
password reset and register for MFA, but the company doesn’t want users to have to go 
through the registration process more than once. 
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Contoso is also adopting and focusing on zero-trust principles. Least privilege is a key 
focus for the administrator team, too. Today, admins have a separate permanent admin 
account to perform administrative actions. On further investigation, the amount of time 
the admin account is actually used is only a few hours a week. The admin account has 
these permissions 24 hours a day, 7 days a week, and 365 weeks a year. This is not fol- 
lowing the principle of least privilege. Contoso needs to remove this permanent access 
and move to a model where administrators can use their administrative privileges when 
needed. With this information in mind, answer the following questions: 


1. How can you assign your users to register for MFA and SSPR at once? 


2. How can you ensure users are signing in to resources from a corporate device or 
performing MFA? 


3. How can you ensure that administrators are only using their administrative access 
when it is truly needed? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. You can enable the combined security registration under User Settings, User Feature 
Previews. Then make sure Users Can Use The Combined Security Information 
Registration Experience is enabled. 


2. You should configure a conditional access policy, and in the Grant Controls section, 
select Require Multi-Factor Authentication, Require Hybrid Azure AD Joined 
Device, and Require Device To Be Marked As Compliant. Then make sure Require 
One Of The Selected Controls is selected. 


3. You can configure Privileged Identity Management to remove all standing access. 
Administrators would need to enable their privilege role when admin access is needed. 


Chapter summary 


m Self-service password reset allows users to reset their passwords; combined with 
password writeback, it enables passwords changed within Azure AD to be written back 
to an Active Directory Domain Services environment. 


= Conditional access policies enable you to set what conditions must be met for users, 
groups, and roles to access resources based on grant conditions. 
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Azure AD roles enable administrators to leverage RBAC and should follow least privilege 
whenever possible. 


Entitlement management helps ensure the right users have the right access at the right 
time and can be proven with an audit trail. 


Privileged Identity Management enables just-in-time administration and just-in-time 
access to Azure resources. 


Identity Protection is the advanced identity security in Azure AD that focuses on user 
risk and sign-in risk. 
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Capabilities of Microsoft 
security solutions 


When designing a security solution using Microsoft technologies, it is important to consider 
the entire portfolio of options, so you have a complete approach for resources located in 
Azure, Microsoft 365, other clouds, on-premises IT, and operational technology (OT) and 
Internet of Things (loT) devices. These workloads must be equally monitored and protected 
and provide a seamless experience to the user. To manage active attacks, data from these 
workloads should be ingested to Microsoft Sentinel to ensure that you have a single view 
across your entire environment, which will facilitate the work of your security operations 
analysts. 

To head off potential attacks, it’s also important to focus on configuring and monitoring 
the security configuration. To ensure that endpoint devices don't become the weakest link 
in your protection strategy, you need to leverage Microsoft Intune, which is a mobile device 
management (MDM) and mobile application management (MAM) solution. 


Skills covered in this chapter: 
m Basic security capabilities in Azure 
m Security management capabilities in Azure 
= Security capabilities of Microsoft Sentinel 
m Threat protection with Microsoft 365 Defender 
m Security management capabilities of Microsoft 365 


m Endpoint security with Microsoft Intune 


Skill 3-1: Basic security capabilities in Azure 


It is important to understand the foundational security capabilities that are natively available 
in Azure. These capabilities are going to help you to implement some of the Zero-Trust 
principles that were covered in Chapter 1. This section of the chapter covers the skills 
necessary to describe basic security capabilities in Azure according to the Exam SC-900 
outline. 
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Azure network security groups 


A network security group (NSG) in Azure enables you to filter network traffic by creating rules 
that allow or deny inbound network traffic to or outbound network traffic from different types of 
resources. For example, you could configure an NSG to block traffic from the internet inbound to 
a specific subnet, only allowing traffic that comes from a Network Virtual Appliance (NVA). 


Network security groups can be enabled on the subnet or to the network interface in the 
VM, as shown in Figure 3-1. 


Internet 


Subnet A Subnet B 


l5 


VNET SC-900 


FIGURE 3-1 Different NSG implementations 


In Figure 3-1, two different uses of NSG are shown. In the first case, the NSG is assigned to 
Subnet A. This can be a good way to secure the entire subnet with a single set of NSG rules. 
However, there will be scenarios where you might need to control the NSG on the network 
interface level, which is the case in the second scenario (Subnet B), where VM 5 and VM 6 have 
an NSG assigned to the network interface. 

When traffic is coming through the VNet (inbound traffic), Azure processes the NSG rules 
that are associated with the subnet first, if there is one, and then Azure processes the NSG 
rules that are associated with the network interface. When the traffic is leaving the VNet (out- 
bound traffic), Azure processes the NSG rules that are associated with the network interface 
first, and then the NSG rules that are associated with the subnet. 


74 CHAPTER3 Capabilities of Microsoft security solutions 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


When you create an NSG, you need to configure a set of rules to harden the traffic. These 
rules use the following parameters: 


Name Name of the rule. 

Priority Order in which the rule will be processed. Lower numbers have high priority, 
which means that a rule priority 100 will be evaluated before a rule that has priority 300. 
Once the traffic matches the rule, it will stop moving forward to evaluate other rules. 
When configuring the priority, you can assign a number between 100 and 4,096. 
Source Define the source IP, CIDR block, service tag, or application security group. 
Destination Define the destination IP, CIDR block, service tag, or application security 
group. 

Protocol Define the TCP/IP protocol that will be used, which can be TCP, UDP, or ICMP. 
If you want to allow any protocol, choose Any. 

Port Range Define the port range or a single port. 


Action This parameter can be configured to Allow or Deny. 


Before creating a new NSG and adding new rules, it is important to know that Azure 
automatically creates default rules at NSG deployment. Below is a list of inbound rules that are 
created: 


AllowVNetInBound 


Priority 6500 

Source VirtualNetwork 
Source Ports 0-65535 
Destination VirtualNetwork 
Destination Ports 0-65535 
Protocol Any 


Access Allow 


AllowAzureLoadBalancerlInBound 


Priority 6501 

Source AzureLoadBalancer 
Source Ports 0-65535 
Destination 0.0.0.0/0 
Destination Ports 0-65535 
Protocol Any 


Access Allow 


DenyAllinbound 


Priority 6501 
Source AzureLoadBalancer 


Source Ports 0-65535 
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m Destination 0.0.0.0/0 

= Destination Ports 0-65535 
= Protocol Any 

m Access Deny 

Below is a list of outbound rules that are created: 
AllowVnetOutBound 

m Priority 6501 

= Source VirtualNetwork 

= Source Ports 0-65535 

= Destination VirtualNetwork 
= Destination Ports 0-65535 
= Protocol Any 

m Access Allow 
AllowInternetOutBound 

m Priority 6501 

m Source 0.0.0.0/0 

= Source Ports 0-65535 

= Destination Internet 

= Destination Ports 0-65535 
= Protocol Any 

m Access Allow 
DenyAllOutBound 

m Priority 6501 

m Source 0.0.0.0/0 

m Source Ports 0-65535 

m Destination 0.0.0.0/0 

= Destination Ports 0-65535 
= Protocol Any 


m Access Deny 


IMPORTANT RULES CAN BE OVERRIDEN 


Keep in mind that these default rules cannot be removed, though if necessary, you can 
override them by creating rules with higher priorities. 
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Follow the steps below to create and configure an NSG, which in this example, will be asso- 
ciated with a subnet: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe search bar, type network security, and under Services, click Network Security 
Groups; the Network Security Groups page appears. 


3. Click the Add button; the Create network security group page appears, as shown in 
Figure 3-2. 


Home > Network security groups > Create network security group 


Create network security group 


Basics Tags Review + create 


Project details 


Subscription * | Contoso Hotels Vv 
Resource group * | Vv | 
Create new 
Instance details 
Name * | | 
Region * [ (Us) South Central us v] 


FIGURE 3-2 Initial parameters of the network security group 


4. From the Subscription drop-down menu, select the subscription where this NSG will 
reside. 


5. From the Resource Group drop-down menu, select the resource group in which this 
NSG will reside. 


In the Name field, type the name for this NSG. 
In the Region drop-down menu, select the Azure region in which this NSG will reside. 


Click the Review + Create button, review the options, and click the Create button. 


Oo ON a 


Once the deployment is complete, click the Go To Resource button; the NSG page 
appears. 

At this point, you have successfully created your NSG, and you can see that the default rules are 
already part of it. 


Azure DDoS protection 


By default, Azure Distributed Denial of Service (DDoS) basic protection is already enabled on 
your subscription. This means that traffic monitoring and real-time mitigation of common 
network-level attacks are fully covered at the same level of defense utilized by Microsoft's 
online services. 

While the basic protection provides automatic attack mitigations against DDoS, there are 
some capabilities that are only provided by the DDoS Standard tier. The tier you will utilize is 
determined by your organization's requirements. For example, let's say the fictional Contoso 
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organization needs to implement DDoS protection on the application level, and it needs to 

have real-time attack metrics and resource logs available to its team. Also, Contoso needs to 
create post-attack mitigation reports to present to upper management. These requirements 
can only be fulfilled by the DDoS Standard tier. Table 3-1 shows a summary of the capabilities 


available for each tier: 


TABLE 3-1 Azure DDoS Basic versus Standard 


Capability 


Active traffic monitoring and 
always-on detection 


Automatic attack mitigation 
Availability guarantee 


Mitigation policies 


Metrics and alerts 
Mitigation flow logs 
Mitigation policy customization 


Support 


SLA 


Pricing 


DDoS Basic 
X 


X 
Per Azure region 


Tuned per Azure region volume 


Not available 
Not available 
Not available 


Yes, but best effort approach 


Azure region 


Free 


MOREINFO COVERED DDOS ATTACKS 


DDoS Standard 
X 


X 
Per application 


Tuned for application traffic 
volume 


X 
X 
X 


Yes, and provides access to DDoS 
experts during an active attack 


Application guarantee and cost 
protection 


Monthly usage 


For more information about the different types of pricing plans covered by Azure DDoS, visit 


http://aka.ms/sc900ddos. 


To configure Azure DdoS, your account must be a member of the Network Contributor 
role, or you can create a custom role that has read, write, and delete privileges under 
Microsoft.Network/ddosProtectionPlans and action privileges under Microsoft.Network/ 
ddosProtectionPlans/join. Your custom role also needs to have read, write, and delete 
privileges under Microsoft.Network/virtualNetworks. 


Azure Firewall 


While NSG provides basic filtering, you will need a more robust solution when you need to 
protect an entire virtual network. An organization that needs a fully stateful, centralized 
network firewall-as-a-service (FaaS) that provides network- and application-level protection 
across different subscriptions and virtual networks should choose the Azure Firewall. 
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Azure Firewall can be used also in scenarios that you need to span multiple availability 
zones for increased availability. Although there’s no additional cost for an Azure Firewall 
deployed in an availability zone, there are additional costs for inbound and outbound data 
transfers associated with availability zones. Figure 3-3 shows an Azure Firewall topology with 
some of the capabilities available. 


Subnet Subnet 
Microsoft Al A2 <> 
peure Virtual 
network A 
ZO 
Firewall VNet 


i Evaluation of the following elements before allowing/blocking traffic: 
i * Connectivity policy 


i + Threat intelligence for malicious IPs and fully qualified domain 
Azure Firewall names (FQDNs) 
Zen! Gir aren + Network and application traffic filtering rules 


Internet traffic 


FIGURE 3-3 Azure Firewall topology 


As shown in Figure 3-3, the Azure Firewall will perform a series of evaluations before 
allowing or blocking the traffic. Just like in the NSG, the rules in Azure Firewall are processed 
according to the rule type in the priority order (lower numbers before higher numbers). A rule 
collection name may contain only letters, numbers, underscores, periods, or hyphens. You can 
configure Network Address Translation (NAT) rules, network rules, and application rules in 
Azure Firewall. 


Keep in mind that Azure Firewall uses a static public IP address for your virtual network 
resources, and you need that address before deploying your Firewall. Azure Firewall also 
supports learning routes via the Border Gateway Protocol (BGP). 


To evaluate outbound traffic, Azure Firewall will query the network rules and the application 
rules. Just as with an NSG, when a match is found in a network rule, no other rules are pro- 
cessed. If there is no match, Azure Firewall will use the infrastructure rule collection. This col- 
lection is created automatically by Azure Firewall and includes platform specific fully qualified 
domain names (FQDNs). If there is still no match, Azure Firewall denies outgoing traffic. 


For incoming traffic evaluation, Azure Firewall uses rules based on Destination Network 
Address Translation (DNAT). These rules are also evaluated by priority before the network rules 
are evaluated. If a match is found, an implicit corresponding network rule to allow the trans- 
lated traffic is added. Although this is the default behavior, you can override this behavior by 
explicitly adding a network rule collection with deny rules that match the translated traffic 
(if needed). 
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IMPORTANT INBOUND CONNECTIONS 


Application rules aren't applied for inbound connections. Microsoft recommends using Web 
Application Firewall (WAF) if you want to filter inbound HTTP/S traffic. 


In Figure 3-3, you also saw that Azure Firewall leverages Microsoft Threat Intelligence dur- 
ing the traffic evaluation. Microsoft Threat Intelligence is based on more than 8 trillion daily 
context signals that are used by machine learning and other analysis techniques to inform 
many other services in Azure, including Microsoft Defender for Cloud. 


MOREINFO MICROSOFT THREAT INTELLIGENCE 


For more information about Microsoft Threat Intelligence, see https://aka.ms/threatintelligence. 


Azure Bastion 


Azure Bastion is PaaS service that allows people (usually IT administrators) to securely con- 
nect to virtual machines hosted on Azure using a browser and the Azure portal. Azure Bastion 
helps fulfill the least-privilege principle of zero-trust by providing secure access to these VM 
resources (and allowing you to disable other lower-security access methods like VPNs). 


Azure Bastion deployment is done per virtual network (VNet), which means that you provi- 
sion the Azure Bastion service in the VNet, and at that point, the RDP/SSH access will be avail- 
able to all virtual machines that belong to the same VNet. The general architecture is shown in 


Figure 3-4. 
VM VM VM 


Servers subnet 


Azure Bastion 


RDP/SSH 


Internet 


<-> 


VNet1 


Bastion subnet 


A 


Microsoft 
Azure 


FIGURE 3-4 Core architecture for Azure Bastion deployment 


IMPORTANT INITIATIONS SESSION FROM THE AZURE PORTAL 


A session should be initiated only from the Azure portal. If you go directly to the URL from 
another browser session or tab, you may experience the Your Session Has Expired error. 
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In the SC-900 exam, when analyzing a scenario definition, you will identify clues that will 
lead you to use Azure Bastion. For example, let's say a Contoso administrator does not want to 
use a public IP on the company’s VMs but needs to provide external RDP access to those VMs. 
This is a typical scenario in which Azure Bastion is the best design choice. Also, by not exposing 
the public IP (v4 only) address, your VM is not susceptible to a port scanning attack. 


Although Azure Bastion receives external requests, you don't need to worry about harden- 
ing the service because Azure Bastion is a fully managed PaaS service, and the Azure platform 
automatically keeps Azure Bastion hardened and up to date for you. This approach also helps 
prevent attacks on unpatched VMs and attacks that use zero-day exploits. Azure Bastion 
allows up to 25 concurrent RDP sessions and 50 concurrent SHC connections. Although this is 
the official limit, a high-usage session can affect how Azure Bastion manages other connec- 
tions. In other words, Bastion might allow fewer than the maximum connections based on the 
current conditions. 


To establish a connection to Azure Bastion, you need the Reader role on the virtual 
machine, the Reader role on the NIC with the VM's private IP, and the Reader role on the 
Azure Bastion resource. 


Web Application Firewall 


Web Application Firewall (WAF) provides centralized protection of your web applications from 
common exploits and vulnerabilities. WAF is a complement to Azure Firewall because it focuses 
on threats that target the application layer, while Azure Firewall is more focused on threats in 
the network layer level. Also, Azure allows you to deploy WAF according to your needs, so it is 
important that you understand the design requirements before deciding which WAF deploy- 
ment should be used. 


Review the flowchart available at http://aka.ms/wafdecisionflow to better understand the 
available WAF options and how to select the best option according to your scenario. If your 
scenario has all the following characteristics, you should use WAF with Front Door: 

m Your web application uses HTTP/HTTPS 

m You are using an Internet-facing app 

m Your web application is globally distributed across different regions 
m Your app is hosted in PaaS (such as Azure App Service) 

Consider deploying WAF on Front Door when you need a global and centralized solution. 
When using WAF with Front Door, the web applications are going to inspect every incoming 
request delivered by Front Door at the network edge. If your deployment requires TLS offload- 
ing and package inspection, you can take advantage of WAF native integration with Front 
Door, which inspects a request after it’s decrypted. 

If you need to protect your web applications from common threats such as SQL injection, 
cross-site scripting, and other web-based exploits, the best solution is to use Azure Web Appli- 
cation Firewall (WAF) on Azure Application Gateway. WAF on Application Gateway is based on 
Open Web Application Security Project (OWASP) core rule set 3.1, 3.0, or 2.2.9. These rules will 
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be used to protect your web apps against the top 10 OWASP vulnerabilities, which you can find 
at https://owasp.org/www-project-top-ten. 

You can use WAF on an Azure Application Gateway to protect multiple web applications. A 
single instance of Application Gateway can host up to 40 websites, and those websites will be 
protected by a WAF. Even though you have multiple websites behind the WAF, you can still cre- 
ate custom policies to address the needs of those sites. Figure 3-5 illustrates the components of 
this solution. 


WAF on 
Application 
Gateway 


E Web Server 1 
E Web Server 2 


Request 


j 


WAF v1 Alerts 


& Microsoft Defender for Cloud 


FIGURE 3-5 Different components with which the WAF on Application Gateway integrates 


In the example shown in Figure 3-5, a WAF Policy is configured for the back-end site. This 
policy is where you define all rules, custom rules, exclusions, and other customizations (such as 
file upload limits). 


WAF on Application Gateway supports Transport Layer Security (TLS) termination, cookie- 
based session affinity, round-robin load distribution, and content-based routing. Figure 3-5 
highlights the integration with Azure Monitor, which will receive all logs related to poten- 
tial attacks against your web applications. WAF v1 (the first version of WAF) alerts will also 
be streamed to Microsoft Defender for Cloud, and they will appear in the Security Alert 
dashboard. 
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Data encryption in Azure 


Data encryption at rest is an extremely important part of your defense-in-depth strategy 
because it protects against direct data access that bypasses normal access pathways (such as 
downloading a virtual hard drive, database, file, and so on). Security Center security recom- 
mendations can warn you when a VM is missing disk encryption. You can encrypt your Win- 
dows and Linux virtual machines’ disks using Azure Disk Encryption (ADE). For Windows OS, 
you need Windows 8 or later (for the client) and Windows Server 2008 R2 or later (for servers). 


ADE provides Operating System (OS) and data disk encryption. For Windows, it uses Bit- 
Locker Device Encryption, and for Linux, it uses the DM-Crypt system. ADE is not available for 
the following scenarios: 


m Basic A-series VMs 

m Virtual machines with less than 2GB of memory 
m Generation 2 VMs and Lsv2-series VMs 

= Unmounted volumes 


ADE requires that your Windows VM has connectivity with Azure AD so that it can get a 
token to connect with Key Vault. At that point, the VM needs access to the Key Vault endpoint 
to write the encryption keys, and it also needs access to connect to an Azure storage endpoint. 
This storage endpoint hosts the Azure extension repository and the Azure storage account that 
hosts the VHD files. 


The configuration of TPM requirements with group policy is another important consider- 
ation when implementing ADE. If the VMs on which you are implementing ADE are domain 
joined, make sure not to push any group policy that enforces Trusted Platform Module (TPM) 
protectors because this will cause ADE to fail to apply. In this case, you will need to ensure that 
the Allow BitLocker Without A Compatible TPM policy is configured. In addition, BitLocker 
policy for domain-joined VMs with a custom group policy must include the following setting: 
Configure User Storage Of Bitlocker Recovery Information / Allow 256-Bit Recovery 
Key. 

Because ADE uses Azure Key Vault to control and manage disk encryption keys and secrets, 
you need to make sure Azure Key Vault has the proper configuration for this implementation. 
Both the VM and the Key Vault need to be part of the same subscription. Also, ensure that 
encryption secrets are not crossing regional boundaries. ADE requires that the Key Vault and 
the VMs are located in the same region. 


While these are the main considerations when encrypting Windows VMs, Linux VMs have 
some additional requirements. At least 8GB of memory is required if you need to encrypt both 
data and OS volumes when the root file system usage is 4GB or less. However, if you need to 
encrypt only the data volume, the requirement drops to 2GB of memory. The requirement 
doubles if Linux systems are using a root file system greater than 4GB (meaning the minimum 
memory requirement is root file system usage * 2). 
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APP SERVICE 

To ensure that you are always protecting the data in transit, you should configure your App 
Service plan to use an SSL/TLS certificate. Your App Service plan must be configured to the 
Basic, Standard, Premium, or Isolated tier to create a TLS bind between the certificate and 
your app, or you will need to enable client certificates for your App Service app. 


The App Service enables different scenarios for handling certificates, including the 
following: 


m Buying a certificate. 

= Importing an existing certificate from the App Service. 

m Uploading an existing certificate. 

= Importing a certificate from Key Vault (from any subscription on the same tenant). 


m Creating a free App Service custom certificate. (This option does not provide support 
for naked domains.) 


AZURE KEY VAULT 

Azure Key Vault allows you to store information that should not be made public, such as 
secrets, certificates, and keys. Because Key Vaults can store keys that provide access to sensitive 
information, it’s important to limit who has access to the Key Vaults rather than allowing open 
access to them. You manage Key Vault access on the management and data planes. 


The management plane contains the tools you use to manage the Key Vault, such as the 
Azure portal, Azure CLI, and Cloud Shell. When you control access at the management plane, 
you can configure who can access the contents of the Key Vault at the data plane. From the 
Key Vault perspective, the data plane involves the items stored in the Key Vault, and access 
permissions allow you to add, delete, and modify certificates, secrets, and keys. Access to the 
Key Vault at both the management and data planes should be as restricted as possible. If a user 
or application doesn’t need access to the Key Vault, they shouldn't have access to the Key Vault. 
Microsoft recommends that you use separate Key Vaults for development, pre-production, and 
production environments. 


Each Key Vault you create is associated with the Azure AD tenancy that is linked to the sub- 
scription that hosts the Key Vault. All attempts to manage or retrieve Key Vault content require 
Azure AD authentication. An advantage of requiring Azure AD authentication is that it allows 
you to determine which security principal is attempting access. Access to Key Vault cannot be 
granted based on having access to a secret or key, and access requires some form of Azure AD 
identity. 


Skill 3-2: Security Management capabilities in Azure 


For your defense-in-depth strategy to succeed you need to have visibility and control across 
workloads hosted in Azure, other cloud providers, and your on-premises datacenters. As your 
organization continues to provision new resources in any of these locations, you also need 

to constantly maintain and improve your security posture. To accomplish that, you should 
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leverage the capabilities available in Microsoft Defender for Cloud. This section covers the 
skills necessary to describe security management capabilities in Azure according to the Exam 
SC-900 outline. 


Microsoft Defender for Cloud 


Microsoft Defender for Cloud gives organizations complete visibility and control over the secu- 
rity of hybrid cloud workloads, including compute, network, storage, identity, and application 
workloads. By actively monitoring these workloads, Defender for Cloud enhances the overall 
security posture of the cloud deployment and reduces the exposure of resources to threats. 
Defender for Cloud also helps you to improve your security posture with Azure Security Bench- 
mark, which provides security recommendations to harden your workloads based on current 
and well-established best practices. 


Defender for Cloud also assesses the security of your hybrid cloud workloads, providing 
centralized policy management to ensure compliance with security requirements for your 
organization or regulatory bodies. Because Defender for Cloud is an Azure service, you must 
have an Azure subscription to use it. (A trial subscription will work, too.) 


With an Azure subscription, you can activate Microsoft Defender for Cloud for free. 
Microsoft Defender for Cloud monitors compute, network, storage, and application resources 
in Azure. It also provides security policy, security assessment and security recommendations. 
Even organizations that are getting started with Infrastructure as a Service (laaS) in Azure can 
benefit from this free service because it will improve their security posture. 


To access the Microsoft Defender for Cloud dashboard, sign in to Azure portal (https:// 
portal.azure.com) and click Microsoft Defender for Cloud in the left pane. What happens 
the first time you open the Security Center dashboard will vary depending on the resources 
you have access to. For the purposes of this example, the dashboard is fully populated with 
resources, recommendations, and alerts, as shown in Figure 3-6. 


efender for Cloud | Overview x 


5221 
5221 
5221 
Aerts by severity 


i ia aie a eee 
FIGURE 3-6 Defender for Cloud main dashboard 


5221 
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Defender for Cloud uses role-based access control (RBAC) that is based in Azure. By default, 
there are two roles in Security Center: Security Reader and Security Admin. The Security 
Reader role should be assigned to all users who only need read access to the dashboard. For 
example, security operations personnel who need to monitor and respond to security alerts 
should be assigned the Security Reader role. Workload owners (IT operations team and/or 
DevOps teams) might fulfill this responsibility if there is no security team or if the workload 
owners are accountable for managing the security posture of their workloads. 


Workload owners usually need to manage one or more specific cloud workloads and their 
related resources. Additionally, the workload owner is responsible for implementing and 
maintaining protections in accordance with the organization's security policies. Because of 
those requirements, it would be appropriate to assign the Security Admin role for users who 
own a workload. Only subscription Owners/Contributors and Security Admins can edit a 
security policy. Only subscription and resource group Owners and Contributors can apply 
security recommendations for a resource. To enable any Defender for Cloud plan, you need the 
Security Admin or Subscription Owner privilege. 


MOREINFO RBACIN AZURE 


To learn more about RBAC in Azure, see http://aka.ms/azurerbac. 


Large organizations with different business units adopting Azure in an ad hoc way often 
experience challenges getting visibility of all subscriptions in their tenants. For this reason, 
even before enabling Defender for Cloud, you need to work with your IT Team to identify 
all subscriptions that belong to the tenant and verify whether you have the right privileges 
to manage Defender for Cloud. In some scenarios, the same organization might even have 
multiple tenants with different subscriptions on each tenant. 


When multiple subscriptions are part of the same tenant and you need to centralize policy 
across subscriptions, you can use Azure Management Groups. By aggregating multiple 
subscriptions under the same management group, you can simplify the RBAC assignment 
by assigning the permissions to the management group, which will inherit that access to all 
subscriptions in it. This saves time on management because you can allow users to have access 
to everything they need instead of scripting RBAC across different subscriptions. Defender for 
Cloud also allows you to assign a security policy to a management group. 


RECOMMENDATIONS 

Defender for Cloud will identify resources in the subscription (compute, network, storage, 
identity, and application) that need security recommendations and will automatically suggest 
changes. You can see all recommendations in a single place, which is available under General 
> Recommendations. There, the security controls shown in Figure 3-7 are available. Expand 
each one to see the recommendations that belong to that security control. 


Setting the Group By Controls option to Off allows you to see the list of all recommenda- 
tions. When planning your Security Center adoption, make sure to include a full revision of all 
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security recommendations even before exploring more capabilities in Defender for Cloud. You 
should use Defender for Cloud's Secure Score to prioritize which security controls you should 
address first. 


[D Search recommendations Control status : 2 Selected Recommendation status : 2 Selected Recommendation maturity : All Severity: All Resource type: All Sort by max score v] 
{Expand alt Response actions : All Contains exemptions : All Environment : All Reset filters 

Controls Max score Current Score Potential score increase Unhealthy resources Resource health Actions 

> EnableMFA @ 10 10 BOOCOCCCOG + 0% (0 points) None C 

> Secure management ports © 8 + 0% 10 points) None = 

> Remediate vulnerabilities 6 + 8% (4.73 points) 41 of 60 resources — | 

> Apply system updates 6 + 1% (0.59 points) 50154 resources e= 

> Manageaccess and permissions 4 + 6% (3.2 points) 4 of resources — | 

> Enable encryption at rest 4 + 5% (2.84 points) 27 of 57 resources — | 

> Remediate security configurations 4 + 2% [1.44 points) 22 of 64 resources — 

> Restrict unauthorized network access 4 +2% (1.28 points) 16 of 51 resources —= 

> Encrypt data in transit @ 4 + 0% (0 points) None n 

> Apply adaptive application control 3 +1% (04 poims) 60147 resources e 

> Protect applications against DDoS attacks 2 o +3% (2 points) 6 0 36 resources = 

> Enable endpoint protection 2 133 NI + 1% (0.67 points) 16 of 51 resources —= 

> Enable auditing and logging 1 032 I + 1% (068 points) 39 of 57 resources — 


FIGURE 3-7 Aggregation of all security controls that contain recommendations in Defender for Cloud 


Azure Secure Score 


When working in a cloud environment, monitoring the security state of multiple workloads can 
be challenging. How do you know if your security posture across all workloads is at the highest 
possible level? Is there any security recommendation that you are not meeting? These are hard 
questions to answer when you don't have the right visibility and tools to manage the security 
aspects of your cloud infrastructure. 


Defender for Cloud reviews your security recommendations across all workloads, applies 
advanced algorithms to determine how critical each recommendation is and calculates your 
Secure Score based on them. This Secure Score is shown in the main Overview page on its own 
Secure Score tile, as shown Figure 3-8. 


9 Secure score 


Unhealthy resources 


694 To harden these resources and improve your score, follow the security 
recommendations 


Current secure score 


[ J COMPLETED 
2 Controls 4/6 


y= COMPLETED 
v— Recommendations 44/84 
>See 


Improve your secure score > 


FIGURE 3-8 Secure Score tile 
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The overall Secure Score shown in the main dashboard is an accumulation of all your recom- 
mendation scores. Keep in mind that this score can vary because it reflects the subscription that 
is currently selected and the resources that belong to that subscription. If you have multiple sub- 
scriptions selected, the calculation will be for all subscriptions that you have read privileges. The 
active recommendations on the selected subscription also make this score change. Recommen- 
dations are aggregated in security controls, which impact the Secure Score. Your Secure Score 
will increase only if all applicable recommendations within a security control are remediated. 


The example shown in Figure 3-9 is from the Enable MFA security control, and as you can 
see, the current score for this control is 10, which means all recommendations were remedi- 
ated. A green mark appears next to general availability (GA) recommendations. Recommenda- 
tions appearing with a flag to their left are public previews and don't need to be remediated to 
complete the security control. 


Controls Max score Current Score Potential score increase Unhealthy resources 

V Enable MFA © 10 10 BOOOOCCCOCCE + 0% (0 points) None 

MFA should be enabled on accounts with owner permissio... @ È None 

MFA should be enabled on accounts with write permission... © È None 

Ensure multi-factor authentication (MFA) is enabled for all... @ D None 

Ensure MFA is enabled for the "root" account © D None 

Ensure hardware MFA is enabled for the “root” account BD 1 of 1 AWS resources 
Ensure AWS Config is enabled in all regions GB 1 of 1 AWS resources 
Hardware MFA should be enabled for the root user 1 of 1 AWS resources 
MFA should be enabled for all IAM users © @ None 

Virtual MFA should be enabled for the root user © @ None 


AWS Config should be enabled @ 1 of 1 AWS resources 


0/5/9/5/0/0/0/0/0 


MFA should be enabled for all IAM users that have a conso.. @ O None 


FIGURE 3-9 Enable MFA security control 


MOREINFO SECURE SCORE CALCULATION 


For detailed information on how the Secure Score is calculated, visit 
http://aka.ms/sc900securescore. 


Cloud workload protection with Defender for Cloud Plans 


The Cloud Workload Protection Platform (CWPP) allows organizations to assess their cloud 
workload risks and detect threats against their servers (laaS), containers, databases (PaaS), and 
storage. It also allows organizations to identify faulty configurations and remediate those with 
security best-practice configurations. To use the CWPP capabilities, you need to enable enhanced 
security with a Defender for Cloud plan. Defender for Cloud enhanced security delivers extended 
detection and response (XDR) capabilities to protect multi-cloud and hybrid workloads, includ- 
ing virtual machines, databases, containers, loT, and more. XDR is a new approach defined by 
industry analysts that is designed to deliver intelligent, automated, and integrated security across 
domains to help defenders connect seemingly disparate alerts and get ahead of attackers. 


When you upgrade your Defender for Cloud subscription from the free tier to Defender 
for Servers, the following features are available: 


m Security event collection and advanced search 


m Network Map 
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m Just-in-time VM access 

= Adaptive application controls 

m Regulatory compliance reports 

m File integrity monitoring 

m Network Security Group (NSG) hardening 

m Security alerts 

m Threat protection for Azure VMs, non-Azure VMs, and PaaS services 


m Integration with Microsoft Defender for Endpoint (MDE) for Endpoint Detection and 
Response (EDR) 


m Multi-cloud support for Amazon Web Services (AWS) and Google Cloud Platform (GCP) 
m Vulnerability assessment integration with Qualys 


Another advantage of upgrading to Defender for Servers is that it enables you to monitor 
on-premises resources and VMs hosted by other cloud providers. You achieve this by onboarding 
your machine using Azure Arc and then installing the Log Analytics agent in the target machine. 


Once you upgrade from Security Center Free to Defender for Servers, you will also have threat 
detection enabled for different workloads. Figure 3-10 shows how Defender for Servers uses 
the information collected from VMs to generate a VM-based alert. In this example, non-Azure 
machines and Azure VMs send data collected by the agent to the workspace. Defender for 
Servers uses this data for advanced threat detection analysis and generates recommendations 
that fit within the prevention module or issues alerts that are part of the detection module. 
Defender for Servers employs advanced security analytics, a method that is far more powerful 
than the traditional signature-based approach used by Intrusion Detection Systems. 


A Microsoft Azure 
[=] [=] Defender for Servers 0 


Azure VMs | Detection and 
l prevention 


Workspace name 1 eg 
Defaultworkspace-[subscription-| D]-[geo] 


v Advanced Threat 
Detection 


E 


F Defender for 


An Cloud dashboard 
Non-Azure machines 


FIGURE 3-10 Azure Defender threat detection 
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Defender for Servers uses machine-learning technologies to evaluate all relevant events 
across the entire cloud fabric. By using this approach, is possible to quickly identify threats that 
would be extremely hard to identify using a manual process. Defender for Servers uses the 
following analytics: 


Integrated threat intelligence This leverages global threat intelligence from Micro- 
soft to look for known bad actors. 


Behavioral analytics This looks for known patterns and malicious behaviors—for 
example, a process executed in a suspicious manner, hidden malware, an exploitation 
attempt, or the execution of a malicious PowerShell script. 


Anomaly detection This uses statistical profiling to build a historical baseline and 

triggers an alert based on deviations from this baseline. An example of this would be 
a VM that normally receives remote desktop connections 5 times a day but suddenly 
receives 100 connection attempts. This deviation would trigger an alert. 


MOREINFO DEFENDER DETECTION 


Read more about Defender for Servers detection capabilities and other relevant scenarios at 


https://aka.ms/ascdetections. 


In addition to VMs, Microsoft Defender for Cloud has threat detections that are specific for 
each supported Azure service. This is important for securing workloads on the cloud because 
you can quickly get high-quality alerts that security analysts can investigate without requiring 
that you ingest logs into a SIEM and write high-quality queries to identify anomalous behavior. 


You can enable different Microsoft Defender for Cloud plans for the following Azure 
services: 
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Defender for Servers 

Defender for App Service 

Defender for SQL Database 

Defender for SQL on machines 

Defender for Storage 

Defender for Azure Kubernetes (AKS) 
Defender for Azure Container Registries (ACR) 
Defender for Key Vault 

Defender for Resource Manager 

Defender for DNS 
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Cloud security posture management capabilities 


When it comes to prioritization, security hygiene should be your number one priority. Most of 
the attackers are still succeeding because of a lack of security hygiene. As stated in the Micro- 
soft Digital Defense Report released in September 2020, “The lack of basic security hygiene in 
any given ecosystem continues to enable cybercriminals to use well-known vulnerabilities.” 


The CSPM capabilities in Microsoft Defender for Cloud provide a level of visibility that you 
need to improve your security hygiene and drive security posture enhancement. The main CSPM 
features available in Azure Security Center that tackle this scenario are described in Table 3-2. 


TABLE 3-2 CSPM features 


Capability Available in Free Tier Requires Microsoft Defender for 
Cloud Plan 

Security recommendations K 

Secure Score K 

Security policy K 

Policy exemption Xx 

Vulnerability assessment Xx 

Regulatory compliance K 

Multi-cloud K 

Monitor on-premises resources K 


It's critical that your IT security and operations departments constantly collaborate to pro- 
vide better protection, detection, and response. Many organizations already have a security 
operations (SecOps) team dedicated to maintaining the security operations, which includes 
alert triage and investigation. The posture management team is responsible for monitoring the 
security posture of cloud workloads. Defender for Cloud has capabilities that can be leveraged 
by the SecOps team as well as by the posture management team. 

Before using Defender for Cloud to monitor resources, you must review your organization’s 
SecOps process and identify how you can incorporate Defender for Cloud into your routine. 
Figure 3-11 shows the tasks performed by a typical security operations center (SOC), typical 
tasks for CSPM Team, and a set of Defender for Cloud features that can be leveraged by these 
teams. 
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FIGURE 3-11 Mapping security operations and CSPM with Defender for Cloud 


Here are a few key points for incorporating Defender for Cloud into your security opera- 


tions and CSPM: 


m Defender for Cloud will continuously evaluate compute, network, storage, and appli- 
cation resources for compliance. The CSPM team is responsible for ongoing security 
assessment and should track recommendations issued by Defender for Cloud on an 
ongoing basis and work in partnership with workload owners to show them how to 
remediate those recommendations. This team should also leverage the Secure Score as 


their security Key Performance Indicator (KPI). 
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= Some of the capabilities that are related to CSPM, such as multi-cloud support, regula- 
tory compliance, and Qualys integration for vulnerability assessment, will require you to 
enable one of the Microsoft Defender paid plans. 


m The security roles available in Security Center, along with Azure's RBAC capability, can 
help SOC management control who has access to what part of the platform. 


m You can leverage Azure Monitor Workbooks to provide a specific level of visualization 
for the SOC Team. You can leverage some workbook samples that are available in 
the Azure Security Center community page located at https://github.com/Azure/ 
Azure-Security-Center/tree/master/Workbooks. 


m Your CSPM team should use the Workflow Automation feature to automate tasks. Make 
sure to leverage the existing automations located on the Azure Security Center com- 
munity page at https://github.com/Azure/Microsoft-Defender-for- Cloud/tree/main/ 
Workbooks. 


m The SOC has its own incident response (IR) team, which can consume security alerts 
generated by Microsoft Defender for Cloud threat detection via the Continuous Export 
feature. 


m SOC Analysts who are in charge of triaging alerts can also take advantage of the Work- 
load Protection Security Alerts dashboard to filter and suppress alerts. This team can 
also leverage the Workflow Automation feature to trigger a response to specific alerts. 


Security baselines for Azure 


Compliance controls require that standard security controls are measured via configuration 
baselines. Many organizations rely on industry standard controls for security best practices 

to improve their security posture. Security baselines for Azure focus on cloud-centric control 
areas, where these controls are consistent with well-known security benchmarks, such as those 
described by the Center for Internet Security (CIS). 


Azure Security Benchmark is Azure's own security control framework, which is based 
on industry standards that enable customers to meet their security control requirements 
in Azure. To provide a seamless experience, Azure Security Benchmark became the default 
initiative in Microsoft Defender for Cloud. This means that to track the security status of 
your live environment, you just need to monitor the results via Defender for Cloud. Each 
security recommendation in Defender for Cloud corresponds to a recommendation in 
Azure Security Benchmark. You can even visualize the mapping using the Regulatory 
Compliance dashboard, as shown in Figure 3-12. 
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6 Microsoft Defender for Cloud | Regulatory compliance 
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FIGURE 3-12 Azure Security Benchmark 


MOREINFO AZURE SECURITY BENCHMARK 


For more information about Azure Security Benchmark, see https://aka.ms/benchmarkdocs. 


Skill 3-3: Security capabilities in Microsoft Sentinel 


This objective will cover the concepts of Security Information and Event Management (SIEM), 
Security Orchestration, Automation and Response, and Extended Detection and Response 
(XDR). These concepts are important to understanding threat protection and response in 
today’s security information environment. The section will also cover Microsoft Sentinel and 
how it brings together SIEM, SOAR, and XDR across the Microsoft Security stack. 
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What is Security Information and Event Management 
(SIEM)? 
Typically, a SIEM is the core system or software that a Security Operations Center (SOC) uses 


to monitor, manage, and respond to security incidents. A SIEM usually provides the following 
capabilities to the SOC: 


m Data ingestion / Log aggregation 
m Analytics 

= Correlation 

m Data visualization 

m Data retention 

m Forensic analysis 


When analyzing a scenario on the SC-900 Exam, you must understand the organization's 
business requirements before recommending a SIEM solution. For example, Contoso needs to 
collect logs and analyze, correlate, and respond to security incidents across multiple security 
products and solutions. Because Contoso needs to perform these functions across multiple 
security products or solutions, a SIEM is needed. Extended detection and response products 
can do this for a specific area, such as an endpoint, but a SIEM can bring together the data and 
alerts across many security solutions. 


Data and log aggregation 


The core capability of any SIEM is to bring together data and logs from many platforms, such 
as network devices, application and system logs, and other security products. A SIEM provides 
organizations with a way to collect the logs from the various sources and often allows them 

to be normalized into standard formats. Without this capability, organizations would need to 
jump from system to system, reviewing logs, and trying to find security incidents that might 
have occurred. 


The SIEM can collect logs from various sources using different methods. An agent can be 
installed on endpoints to collect logs locally and send them in. A collector can be deployed for 
systems where agents cannot be installed. For example, many network devices do not support 
having an agent installed, but they can send their logs out via SYSLOG, and then the logs can 
be collected. In today’s cloud era, a SIEM should also provide ways to collect logs from both 
SaaS (Software-as-a-Service) and PaaS (Platform-as-a-Service), where again, an agent cannot 
be installed on the source cloud service. 


As data is collected, a SIEM can parse and normalize the data into standard formats to make 
it easy for the SOC to analyze or use the data. Network devices from different vendors will have 
very different messages. While SYSLOG provides a basic message format, it is not comprehen- 
sive enough because organizations still need to parse the message field, which every vendor 
uses differently. ArcSight, a popular SIEM product from Micro Focus, created the Common Event 
Format (CEF), which has been adopted by many vendors and has helped normalize messages 
from devices. 
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The format uses key-value pairs to allow vendors to match their logging data to a set of 
standard fields. It's made even more flexible because it allows vendors to add their own fields. 
Every SIEM on the market supports CEF as one of the standard formats. This is important 
because it allows the SOC to understand the data and fields when building analytics, visualiza- 
tions, or hunting into the data. 


MOREINFO CEF 


For more information about CEF, see https://www.secef.net/wp-content/uploads/ 
sites/10/2017/04/CommonEventFormatv23.pdf. 


Analytics 


Once the SOC can collect data from the environmental sources, analytics is the next most 
important capability in the SIEM. Analytics allow an SOC to discern anomalies from expected 
behavior and spot patterns that might be attacker activity. 


Analytics allows the analyst to create a detection or rule that triggers based on specific 
parameters. For example, an analyst can easily spot 10 or more failed log-ins from a single user 
on asingle machine, but it would be difficult for an analyst to see if those failed logins occurred 
across multiple systems over the course of 24 hours. To spot this behavior, an analyst could 
create a rule that creates an alert if ten or more failed log-ins by the same user occur across all 
systems. The analyst could then investigate these log-ins to determine whether the user was 
having a legitimate issue or if an attacker was probing that user account. 


While this is a basic example, many SIEMs today provide much more advanced analytics to 
analyze the data, create a normal pattern of failed log-ins, and alert on an anomalous failed log-in. 


Correlation 


Correlation allows events and/or alerts to be linked into incidents so that the analyst can see 
the entire attack. Using the failed log-ins example from the previous section, let's say that we 
see 20 alerts for different users who have failed log-ins that met the criteria. In this case, wed 
have up to 20 incidents to investigate. Correlation allows us to see that the source IP address 
was the same for all 20 of these failed log-ins, which allows the analyst to see that it is likely 

a single incident composed of multiple alerts. Correlation reduces the workload for the SOC 
analyst and allows them to see whether an attacker is trying to gain access to multiple accounts 
in the environment. 


Data visualization 


Today, all SIEMS can visualize data to allow the SOC to turn event data, alerts, and incidents 
into visual informational charts that help further understand the data. For example, the SOC 
could create or use a built-in visualization to see the key measures of the SOC, such as how 
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many alerts are occurring per day over the last month, the mean time to acknowledge inci- 
dents for the SOC, mean time to recovery (MTTR) for the analysts or the SOC, and the number 
of incidents assigned to each analyst. 


The visualization can help the SOC manager determine if the SOC is performing as 
expected. The SOC can use visualization to see if any patterns are found in a single data source. 
For example, an analyst could look at Azure Active Directory (AAD) sign-in logs to see daily 
trends, whether a spike or drop has occurred, or identify the top five types of log-ins (user, 
non-interactive, and so on). 


Data retention 


A SIEM must provide data retention for events, alerts, and incidents. Many organizations have 
industry or government compliance requirements to retain all or some subset of logs for a 
period of time. The SIEM either needs to store the logs directly or provide a way to export the 
logs to archived storage. Retention also is required for investigation and hunting. For example, 
let's say an attacker gains access to a system, and the system is reaching out to a command- 
and-control server on the internet. If the SIEM only had logs for the past few days, the SOC 
analyst would not be able to go back in time to see if any other systems have reached out to 
that same server IP address. The analyst wouldn't be able to tell if this was a one-time attack or 
if the attack had also occurred previously. Additionally, as other organizations discover attack- 
ers and share indicators of compromise (loC) on those attacks, your SOC will need past data to 
determine whether the same attackers got into your environment without being detected. 


All SIEMs can store and retain data for long periods, but this comes at a cost. Hot storage— 
which is needed for fast searching of the data—is much more expensive than cold storage. 
Some SIEMs provide the capability to interact with cheaper storage for data that is stored over 
a longer-term. Because of the cost, most SOCs retain 90-180 days in the SIEM and offload 
long-term data to other cheaper storage systems. 


Forensic analysis 


The investigation example in the previous section illustrates what is meant by “forensic analysis.” 
The analyst can use the logs from many systems to investigate an incident to understand the full 
impact of the attack. This is a reactive type of analysis, meaning the analyst reacts to the inci- 
dent and conducts forensics to determine what happened. A SIEM can also provide proactive 
analysis. SOC analysts could perform proactive hunting across the data sets to look for security 
issues for which the SOC might not have a detection. For example, it would be interesting to 
proactively look at the top uncommon processes running on systems in the environment. The 
SOC wouldn't have detection for these processes because they don’t know what process names 
to look for. By conducting proactive analysis (hunting), they could see the top five uncommon 
processes and discover an unknown or malicious process. They could then turn this into a secu- 
rity incident, conduct an investigation, and respond. If needed, the analyst could create a new 
analytic for detecting whether that process is executed again, assuming it’s a bad process. 
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What is security orchestration, automation, and response 
(SOAR)? 


Security orchestration, automation, and response (SOAR) enables organizations to automate 
incident response and coordination detection and remediation actions across disparate 
systems. In the past, when a security incident was raised, an analyst would need to manually 
follow a response playbook. The playbook could be as simple as “reset the user's password,” 
or it could be a more complex multi-step operation. SOAR allows the SOC to automate these 
actions, reducing the workload on the analyst and creating a faster response time. In today’s 
cybersecurity environment, minutes matter. Incidents occur more quickly, leaving less time for 
security analysts to manually triage, investigate, and remediate attacks. 


Security orchestration allows the integration of these disparate systems through either 
built-in integrations or by allowing the use of application programming interfaces (APIs). The 
SOC might want to connect with many systems, such as threat intelligence platforms, vulner- 
ability management systems, firewalls, and so on. Other non-security-related systems or APIs 
might need to be accessed, such as Azure itself. 


Security Automation allows the SOC to automate typical security actions in response to 
incidents. Let's use the failed log-ins example provided earlier. The analyst might start by 
reviewing the failed log-in logs, extracting the source IP address, and then determining that IP 
address. Does it belong to the organization? If it was external, where did it come from? What 
country? Did | expect the user to log in from this location? These are time-consuming ques- 
tions. To see where the user normally resides, the analyst must answer each of these ques- 
tions from various systems, such as IP address management, the geo-location service, and 
Azure Active Directory. Security automation allows the SOC to build playbooks to automate 
these activities. The playbook could query the IPAM system to see if it's a known address. An 
if statement or condition could then take the next action if the IP address is not a corporate 
IP. The playbook could update the incident based on the results or even take actions, such as 
resetting the user's password and notifying their manager. Playbooks can be simple or very 
complex, and they can even call each other. 


Security Response allows the SOC to review and monitor these automations. If a playbook 
is automatically called during incident creation, the SOC might need to check the playbook’s 
status or review the playbook’s result later. 

In the context of the SC-900 exam, you need to understand the business requirements that 
will lead you to recommend a SOAR solution. First and foremost, the organization must auto- 
mate actions in response to security incidents. It must allow multiple systems to be connected 
via various methods, and it should allow response actions to be managed or monitored. It 
should reduce the amount of time it takes the SOC to handle an incident as well. 
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What is extended detection and response (XDR)? 


Extended detection and response (XDR) solutions automatically collect and correlate data 
from multiple security products, thereby improving threat detection and providing an inci- 
dent response capability. Like a SIEM, the key difference between XDR and a classic security 
technology is that an XDR is built for a specific type of technology, such as endpoints, identity 
systems, SaaS applications, cloud services like Azure Storage, Azure SQL, and so on. XDR tools 
often provide high-quality alerts because they collect data beyond logs from those assets. 
For example, they collect process trees or in-memory detections for endpoint detection and 
response tools (EDRs). (EDRs are a subset of XDR.) 


Some (not all) XDR solutions can combine alerts across these asset types into a single inci- 
dent like a SIEM. XDR was created from organizations’ need to reduce SOC analyst workload 
by providing high-quality alerts (and often additional investigative capabilities like SOAR). XDR 
tools are limited to the assets they cover, so a SIEM+XDR is an ideal strategy because it provides 
the best of both worlds. 


EXAM TIP 


For the SC-900 exam, an XDR is needed by organizations that have a business requirement 
to intelligently consolidate alerts from security solutions across domains. The exam might 
also cover requirements for automated remediation. 


Microsoft Sentinel 


Microsoft Sentinel is the world’s first cloud-native SIEM and SOAR solution. It was built from the 
ground up in the cloud and allows organizations to scale with their SIEM and SOAR demands. 
Organizations can connect data across all users, devices, applications, and infrastructure. Data 
sources such as Microsoft Defender (an XDR solution) and third-party sources such as firewalls 
can be brought together to detect threats across their environments, both on-premises and 
across clouds. Organizations can use all this data to detect threats that were not previously 
detected by combining analytics and threat intelligence. The Microsoft cloud brings machine 
learning (a subset of artificial intelligence) to Microsoft Sentinel to assist with detecting and 
investigating security incidents. The SOC can hunt across the data at scale, looking for anoma- 
lous activity. Microsoft Sentinel is integrated with Azure Logic Apps to provide SOAR capabili- 
ties to speed up security incident response and reduce the required time to incident resolution. 


Collect 


As discussed earlier, a SIEM must provide data and log aggregation. At the time this book was 
written, Microsoft Sentinel provides 103 data connectors. Data connectors are consistently 
being added, so this number will change over time. Figure 3-13 Shows an overview of the data 
connectors blade in Microsoft Sentinel. 


Skill 3-3: Security capabilities in Microsoft Sentinel 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


99 


Home > Microsoft Sentinel > Microsoft Sentinel 


HH Microsoft Sentinel | Data connectors 


lected workspac gana iyané 


[P search (ctri+= Æ? Guides & Feedback C) Refresh 
General 
125 18 More content at 
Ọ overview padhaa akh Content hub 
® Logs 
@ News & guides D Search by name or provider Providers : All Data Types : Al Status : All 
P Search (Preview) 
Status Ty Connector name Ty 


Threat management 
Agari Phishing Defense and Brand Protection (Preview) 
& incidents Agari 


@ Workbooks 


z Al Analyst Darktrace (Preview) 
© Hunting Darktrace 
4 nabok ya Al Vectra Detect (Preview) 
@ Entity behavior s Vectra Al 
© Threat intelligence es Akamai Security Events (Preview) 
Akamai 
Content management 
6 Content hub (Preview) 2 Alcide kAudit (Preview) 


Alcide 
@ Repositories (Preview) 
a Alsid for Active Directory (Preview) 


& Community Alsid 


Sanak aten aws Amazon Web Services 

E Data connectors Amazon 

È Analytics aws Amazon Web Services S3 

B watchlist Amazon 

% Automation ‘ie Apache HTTP Server (Preview) 
Apache 

& Settings 


Apache Tomcat (Preview) 
Apache 


Aruba ClearPass (Preview) 


FIGURE 3-13 Data Connectors blade 


Microsoft Sentinel provides data connectors for Microsoft 365 Defender, Microsoft 365 sources 
like Office 365, many Azure services and diagnostic logs, and built-in connectors to a broader secu- 
rity ecosystem for non-Microsoft solutions. As of this writing, more than 60 of the 115+ connectors 
are for non-Microsoft solutions. Also, there are several generic connectors for the Common Event 
Format, Syslog, and REST API to connect any data source in the organization's environment. 


Many of the connectors are service to service, meaning Microsoft Sentinel connects directly 
to the cloud service. For example, each Microsoft 365 Defender product has a connector that 
brings security alerts from these products into Microsoft Sentinel. Office 365 and Dynamics 
365 connectors are other examples of service-to-service connectors. 


Other connectors use agents to collect logs from endpoints. Currently, Microsoft Senti- 
nel uses the Log Analytics agent, which supports both Windows and Linux and can connect 
Windows Events, SYSLOG, and other log files on the endpoint. The Log Analytics agent is being 
replaced by the Azure Monitor Agent in the near future. 

Some connectors that don’t have a service-to-service or agent collection method are avail- 
able as well. Typically, these use an Azure function to query data from other services and send 
the data to Log Analytics via a REST API. 

Let's walk through configuring at least one data connector: 


1. Open Azure portal and sign in with a user who has Microsoft Sentinel Contributor 
privileges. 
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In the left navigation pane, click Microsoft Sentinel. 
Click the Microsoft Sentinel workspace. 
Click Data Connectors. 


Scroll down and select Microsoft Defender for Cloud, as shown in Figure 3-14. You 
can see in the figure that Microsoft Defender for Cloud is not configured, as it does not 
show a green bar to the left of the connector name. 
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FIGURE 3-14 Data Connectors blade 


Click the Open Connector Page button. 


Use the slider to enable the subscriptions that are to be connected to Azure Sentinel. 
Figure 3-15 shows the detailed connector page. 
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FIGURE 3-15 Microsoft Defender for Cloud Connector blade 
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Figure 3-16 shows the data connector’s Next Steps tab. Every data connector will have these 
three sections: Recommended Workbooks, Query Samples, and Relevant Analytics. Recom- 
mended Workbooks are visual dashboards for the data type and will be covered later in this 
chapter. Query Samples contain just a few simple queries to get you started with the data types 
the connector brings in. Most importantly, Relevant Analytics are analytic templates that are 
available for the data type, making it easy to get started detecting against your data source. 
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FIGURE 3-16 Next Steps tab 


Detect 
Microsoft Sentinel provides the ability to detect threats through Analytics Rules. Today, there 
are more than 300 analytic rule templates, and more are being added. An analytic rule can cor- 
relate events and security alerts into incidents. An incident is a discrete set of potential attacker 
activity represented by groups of related alerts that the SOC will need to triage. There are six 
analytic rule types: 
= Anomaly Uses ML models to detect threats in connected data sources. The ML mod- 
els are created and provided by Microsoft, reducing the need for the SOC to create their 
own ML models. 
= Fusion Uses Microsoft proprietary ML technology to automatically detect multistage 
attacks by combining several anomalous behaviors or suspicious activities that are part 
of the same attack kill-chain. 


TIP ATTACK DETECTION SCENARIOS 


The Azure Sentinel documentation contains a list of attack detection scenarios for the Fusion 
rule type. See the documentation at https://docs.microsoft.com/en-us/azure/sentinel/fusion. 


= Machine Learning (ML) Behavior Analytics Uses Microsoft proprietary ML 
algorithms to detect anomalous activity. Currently, there are two of these rule 
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templates—one to detect anomalous Secure Shell (SSH) logins and another for Remote 
Desktop Protocol (RDP) logins. 


= Microsoft Security Creates an incident automatically whenever a security alert is 
received from Microsoft 365 Defender products. Microsoft 365 Defender products 
include Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, Azure Active 
Directory Identity Protection, Microsoft Defender for loT, Defender for Office 365, 
Defender for Endpoint, and Defender for Identity. 


m Scheduled Query-based rules that run on a schedule with parameters for query 
scheduling, alert threshold, grouping, suppression, and incident creation. 

An SOC should start by using rule templates to cover detection use cases they want protect or 
monitor for in their environment. Rule templates are out-of-the-box detections that can be used 
to detect attacks in various data sources. If a template does not exist for the use case, there are 
also other samples in the Microsoft Sentinel Community. The Microsoft Sentinel Community is a 
GitHub repository of additional samples that SOCs can use with Microsoft Sentinel. 


NOTE MICROSOFT SENTINEL COMMUNITY 


The Microsoft Sentinel Community can be found at https://github.com/Azure/Azure-Sentinel 
or via the Community blade in Microsoft Sentinel. 


Let's walk through configuring at least one analytic using a template: 
1. Open Azure portal and sign in with a user who has Microsoft Sentinel Contributor 
privileges. 
In the left navigation pane, click Microsoft Sentinel. 
Click the Microsoft Sentinel workspace. 


4. Click Analytics. Figure 3-17 shows an overview of the Analytics blade in Azure Sentinel. 
Active Rules and Rule Templates tabs appear along the top. In this figure, the Active 
Rules tab is active, which shows the rules currently enabled for the workspace. 


6 Microsoft Sentinel | Analytics 
rkspace:‘yersecurtyso 


er 
H Medium (167) Blow (29) informational 156) 


+y Add fiter 


[eran] api oe Crees] 


FIGURE 3-17 Analytics blade 
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5. Click Rule Templates. 
6. Inthe search box type Defender. 


7. Select Create Incidents Based On Azure Defender. This is a Microsoft Security rule 
type. It will create an incident when an alert is received from Microsoft Defender for 
Cloud. 


8. Inthe right pane, click Create rule button. 


9. Figure 3-18 shows the General tab of the Analytics Rule Wizard. Because this is a 
Microsoft Security rule type, a minimal amount of configuration is required. You can fil- 
ter to only certain severities and alert names (Include or Exclude). You might do this so 
that you only bring in certain alerts from Microsoft Security products and exclude noisy 
alerts that still need to be tuned in the source product. 


Home > Microsoft Sentinel > Microsoft Sentinel 


Analytics rule wizard - Create new rule from template 


Create incidents based on Azure Defender alerts 


General Automated response Review and create 


Create an analytics rule that creates incidents based on alerts generated in another Microsoft security service. 
Analytics rule details 


Name * 


Create incidents based on Azure Defender alerts | 


Description 


Create incidents based on all alerts generated in Azure Defender 


Status 


GED Disabled _) 


Analytics rule logic 


Microsoft security service * 


Microsoft Defender for Cloud Vv 


Filter by severity 
O Any 

© Custom 

* 


Low, Medium, High v 


Include specific alerts 
Only create incidents from alerts that contain the following text in the alert name 


+ Add 


Exclude specific alerts 


Anly craste incidante fram alarte that da nnt rantain the fallawina tavt in the slart nama 


Next : Automated response > 


FIGURE 3-18 Creating a new rule from a template 
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10. C 


lick Next: Automated Response. 


11. On the Automated Response tab, you can configure an automated response. Follow- 
ing are the actions that can be taken from the Automated Responses tab: 


Run Playbook Trigger a Logic App 
Change Status Change the status of the incident to New, Active, or Closed 


Change Severity Change the severity of the incident to Informational, Low, 
Medium, or High 


Assign Owner Set the owner of the incident 
Add Tag Add tags to the incident 


Figure 3-19 shows the Automated Response tab with the Create New Automation 
Rule fly-out menu. 


General Automated response Review and create 


Home > Microsoft Sentinel > Microsoft Sentinel 


Analytics rule wizard - Create new rule from template x 


Create incidents based on Azure Defender alerts 


Incident automation (preview) 


View all automation rules that will be triggered by this analytics rule and create new automation rules. The automation rule will receive the incident as its 
input, as will any playbooks called by the automation rule. Only playbooks configured with the incident trigger can be called by automation rules. 


+ Add new 


Order Automation rule name Action Status 


No automation rules 


FIGURE 3-19 Create New Automation Rule 


12. Click Next: Review. 


13. Review the rule's settings and click Create. 


Invest 


igate 


Once an analytic triggers a detection and creates an incident, the SOC will need to investigate 
it. Microsoft Sentinel provides a rich investigation experience so the SOC can quickly triage and 
respond to the Incident. Let's open an incident and investigate it by following the steps below: 


1. Open Azure portal and sign in with a user who has Microsoft Sentinel Contributor 
privileges. 


2. Inthe left navigation pane, click Microsoft Sentinel. 


3. Click the Microsoft Sentinel workspace. 
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4. Click Incidents. The Incidents blade allows the SOC analyst to see a list of incidents. 
When the analyst selects an incident, they can see details of the incident, as shown in 
Figure 3-20. 


Home > Mic Minel > Microsoft Sentinel 


£ Microsoft Sentinel | Incidents 


workspace: "eybersecuritysoe 


© retesh © last24hows v $F Actions E Security efficiency workbook == Columns A? Guides & Feedback 
General ra Open incidents by severity 
= & 823 22 mmm mmm 
pen incidents Active nekem: Haigh 129) 1 Medium 209) [JUNAN Informational (52) 
2 
@ Naws & guides E kereh by ib, tte S| Seventy: al Status: 2seleeted Product mame: All Owner: All 


P search (preview) 


Threat management 


C sevemny tu Incident lens product names Crested ume %4  Lastupdatetime =} 
eects D | veim naman 1 0432 pM 02/23/22, 032 PM i 
TH nakoni [J termatena astan 1 sapu 02/28/22, 0420 9M 
pilna O | veim tasar 1 Microsot Sena 
E nata D | veim tasas 1 Microsot sertinet 
danang a [en usus 1 Microsoft sentinel 
BB makan D | informational Admin nggered manualne 1 Microsoft Daten. 
content management D | irtomatoral Admin nggered manual in. 1 Microsoft Defender a 
6 Content hub review) DI | mlormatonal Admin tragerea manualin, 1 Mirosott Defender. 
@ repositories Preview) D | itormatioral 1 Microsoft Defender 
© community O informations! 5125 1 
Configuration [mi Hb vests 1 
macs ja] [EM estas ` 
Pe of» sagu senden piadpak sait. 1 Microsoft Cloud ap. 
© watchist of» Teminat An $7 Stop PLEC.. 1 Microsoft sentinel 
esa D | tntormationat Asmin tiggees manual in Microsoft Defender. 
$ satinas O | wermaroral cin rasera manisin 1 Microsoft pefener ne 
1 


[LI informational 


Admin tnagered manual in, 


Microsoft Defender. 


FIGURE 3-20 The Incidents blade 


5. The analyst can then view the full details of the incident by clicking View Full Details. 
Figure 3-21 shows the full details of the Incident. The analyst can quickly see a timeline 
view of the alerts that are part of the incident and details of each alert, bookmarks, 
entities, and comments. This information provides the analyst with a quick, detailed 
overview of the incident. 


Home > Microsoft Sentinel > Microsoft Sentinel 


Incident 


t ID 146145 


Ù Refresh 


s&s User login from different countries within 3 hours (U... 


Wd incident D: 146145 Timeline Alerts Bookmarks Entities Comments 
Å Unassigned V > New v High v PD Search | Timeline content : All Severity : All Tactics : All 
Oumar Statue Severity ——— —— 


fb2 0 | User login from different countries within 3 hours (Uses Authentication Normalization) 


This query searches for successful user logins from different countries ican High | Detected by Microsoft Sentinel | Tactics: KBlnitial Access 
within 3 hours. To use this analytics rule, make sure you have deployed 


the ASIM normalization parsers 


Alert product names 
© Microsoft Sentinel 


Evidence 
a 91 Ro 

Events Alerts Bookmarks 

Last update time Creation time 
02/23/22, 04:17 PM. (02/23/22, 04:17 PM 
Entities (3) 


Ê pdemo@seccxprin.. 
S. pariawdatansada; 
& meollins@seccxpn... 
View full details > 

Tacties and techniques 


v A initial Access (0) 


Incident workbook 
Incident Overview 


Analytics rule 
User login from different countries within 3 hours (Uses Authenticatio. 


Tags 


+ Z 


[Actions v | 
FIGURE 3-21 Incident details blade 
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6. When the analyst clicks Investigate, they are provided with the Investigation Dash- 
board, which allows for deep investigation via a graph that helps the analyst under- 
stand the scope and root cause of the attack. The analyst can ask questions about the 
entities involved in an incident with simple right-clicks in the graph. Microsoft Sentinel 
has a set of canned queries that analysts typically ask of entities. These run in real-time, 
and the analyst can see if there are any results. This is a huge time saver; without these 
canned queries, the analyst would need to open a query window and run each query to 
see if there were any interesting or related events. Figure 3-22 shows the Investigation 
Graph and the fly-out menu for an entity. All queries with results are shown. 


Investigation 


2 Suspicious Remote WMI Execution Ilow 24 New £ Unassigned © 5/1/2021, 1:02:22 PM 
Senny sons Smer Leaner gene be 


4 
žo jo ĵe soim 


A) peor No selection 
Ye 


FIGURE 3-22 The Investigation Graph 


The analyst can then see that the user entity also failed to log in to another computer, so now 
the analyst knows the attacker also attempted to log in to another machine. Figure 3-23 shows the 
graph expansion when the analyst clicks the results. A new entity is added to the graph, and when 


the analyst clicks it, they can see entity details of the computer, such as HostName and DnsDomain. 


Investigation 


(Gi Suspicious Remote WMI Execution Ilow “New Å Unassigned D 5/1/2021, 1:02:22 PM 


B VictimPe E 


FIGURE 3-23 The Investigation Graph with entity details 
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Microsoft Sentinel provides two other capabilities for investigation: User and Entity Behavior 
Analytics (UEBA) and hunting. UEBA analyzes incoming log sources and builds baseline behav- 
ioral profiles for entities. When investigating an incident, it is sometimes necessary to pivot to an 
entity such as a user to gain further insight into what occurred. UEBA also uses various types of 
machine learning to gain insights for each entity, such as whether a user is accessing a server for 
the first time ever. Let's take a look at the user JeffL from our previous incident in Figure 3-23. 


1. Open the Azure portal and sign in with a user who has Microsoft Sentinel Contributor 
privileges. 

In the left navigation pane, click Microsoft Sentinel. 

Click the Microsoft Sentinel workspace. 


Click Entity Behavior. 


u RB won 


In Figure 3-24, you can see the Entity Behavior blade, which shows lists of top entities 
by the number of alerts. You can also search for an entity in the search bar. 


inel | Entity behavior 


D Search (Ctrl+/) | © Last24hours v $ Entity behavior settings <P Customize entity page (Preview) Ay Guides & Feedback 
General 

Ọ overview 

® Logs 

@ News & guides 
A) Search (Preview) 
Threat management 
& Incidents 

@ workbooks 


© Hunting 


E Notebooks 


wW Entity behavior [2 Bearch for accounts, hosts or IP addresses 


© Threat intelligence 


Content management 

Ê Content hub (Preview) 
@ Repositories (Preview) 
& Community 
Configuration 

E Data connectors 


Accounts by # of alerts Hosts by # of alerts 
© Analytics 


FIGURE 3-24 The Entity Behavior blade 


6. Seach for a user and select the user account. 


7. On the Entity Behavior blade, Microsoft Sentinel provides much more context into 
the entity to understand what is/has occurred. Figure 3-25 shows the entity blade fora 
user. The left pane shows information about the user, which is pulled from Azure Active 
Directory. The middle pane shows a chart of events and alerts containing the entity with 
a timeline of alerts and significant events involving the user. The right pane provides 
various insights from the UEBA learning, such as whether the user has been added to 
any groups recently. 
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Time range : 2/22/2022, 5:24:38 PM - 2/23/2022, 5:24:38 PM More (5) 


Contact info 


V SAP User: The recent top 10 high severity alerts are 
(Preview) 


ly high Azure sign-in result count © 


MA UEBA Insights © 
Noresuite 


FIGURE 3-25 The Entity blade 


UEBA can provide the analyst with a better understanding of the entities involved in an 
incident, which helps the analyst understand how far the attack may have gotten inside the 
environment beyond just what was found in the incident. 


Threat hunting is a form of proactive investigation that allows you to find adversaries that 
slipped past detections but still can damage the organization. This is an important comple- 
ment to detection and involves hunting through the data to look for security threats that they 
might not be alerting on today. For example, you can’t create an alert for a malicious process 
name if you don't know the process name. With hunting, the analyst can find uncommon pro- 
cesses (which are processes that have been executed across the environment but are not com- 
mon across endpoints) across all the data. If something malicious occurs, the analyst can create 
an incident to triage and then build an analytic rule to detect if it happens again now that they 
have the process name. Let's take a quick look at threat hunting in Microsoft Sentinel. 


1. Open the Azure portal and sign in with a user who has Microsoft Sentinel Contributor 
privileges. 


In the left navigation pane, click Microsoft Sentinel. 
Click the Microsoft Sentinel workspace. 


Click Hunting. 


wR wn 


In Figure 3-26, you can see the Hunting blade. At the top, you can see how many 
queries exist. The Run All Queries button allows you to run all queries at once. This is 
useful because an analyst can run all queries and then focus on the ones with results. 
In the lower middle part of the blade is a list of queries with a MITRE ATT&CK mapping. 
The right blade shows details of the hunting query. Seach the queries for a process and 
select Least Common Process By Command Line. 
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FIGURE 3-26 The Hunting blade 


6. On the blade at the right, click Run Query. If the environment shows any results, click 
View Results to explore the uncommon processes. 


7. Figure 3-27 shows an example result on the Logs blade. Here, an analyst can take two 
actions. First, they can select a specific record and create a bookmark, which is a refer- 
ence that can be used later for further investigation, or the bookmark can be added to 
an incident. Second, they can start the wizard to create a new alert rule by clicking New 
Alert Rule -> New Microsoft Sentinel Alert. 
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FIGURE 3-27 The Logs blade 
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Hunting in Microsoft Sentinel provides one last capability to help the SOC: Livestream. 
Livestream allows the analyst to run a query in real-time and see any results as they come in. This 
can be used when the SOC has an indicator of compromise (IOC) that they want to watch for during 
an active incident. We will not cover the details of Livestream here, as it is not covered on the test. 


Respond 


Automation rules provide a way to trigger automatic responses to security incidents. Automa- 

tion rules can set the incident status, set severity, assign an owner or tag, or run a playbook. 

Playbooks are collections of steps or workflows that can be run in response to an incident. 

Playbooks are based on Azure Logic Apps, which provides many connectors to various services 

for integrating into the workflow. Let's create an automation rule by following the steps below: 
1. Open Azure portal and sign in with a user who has Microsoft Sentinel Contributor 

privileges. 

In the left navigation pane, click Microsoft Sentinel. 

Click the Microsoft Sentinel workspace. 


Click Automation. 


wR wn 


Figure 3-28 shows the Automation blade. You can see all configured automations, as 
well as the Playbooks tab. 
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FIGURE 3-28 The Automation blade 


6. Click Create > Add New Rule. 


7. Figure 3-29 shows an empty Create New Automation Rule pane. 
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FIGURE 3-29 The Create New Automation Rule pane 


For this scenario, let's create a rule that assigns an owner. Enter the name Change 
Owner. 


In the Conditions, choose Contains from the Analytic Rule Name drop-down menu, 
and leave All selected. 


From the Actions drop-down menu, choose Assign Owner. 
Click the Assign Owner drop-down menu and select a user. 


Leave the Rule Expiration and Order options set to their default values. 


Click Apply. Figure 3-30 shows the completed pane. 
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FIGURE 3-30 Completed Create New Automation Rule pane 


This illustrates the concept of SOAR with an extremely simple automation rule to assign all 
incidents to a specific user. In reality, most SOCs would customize a rule like this based on their 
operating model, such as assigning specific analytics rules to a particular analyst or team. 


MOREINFO PLAYBOOK EXAMPLES 


See the Playbook samples in the Microsoft Sentinel community at https://github.com/Azure/ 
Azure-Sentinel/tree/master/Playbooks. 


MOREINFO LOGIC APPS 


Logic Apps is outside the scope of this book. To learn more, see https://docs.microsoft.com/ 
en-us/azure/logic-apps/logic-apps- overview. 
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Visualize 


Once the SOC has ingested data into Microsoft Sentinel, it can be visualized and monitored 
using workbooks. Workbooks can be used with many of the provided templates, or you can 
create custom dashboards or modify an existing template to meet the organization's needs. 
Let's take a look at workbooks. 


1. 


vk won 


Open Azure portal and sign in with a user who has Microsoft Sentinel Contributor 
privileges. 

In the left navigation pane, click Microsoft Sentinel. 

Click the Microsoft Sentinel workspace. 

Click Workbooks. 


Figure 3-31 shows the Workbooks blade. You can see the number of saved workbooks 
and templates that are available. Click Templates. 
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FIGURE 3-31 Workbooks blade 

Any workbook with a green status bar in the templates list means the workbook has been 
saved already. To save a currently unsaved workbook, simply select it and click Save. 
Choose the location in which you want to save the workbook and click OK. 


Click View Saved Workbook. Figure 3-31 shows the Security Operations Efficiency work- 
book. This workbook is useful for the SOC to see how security operations are performing. 
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FIGURE 3-32 Security Operations Efficiency workbook 


Skill 3-4: Threat protection with Microsoft 365 
Defender 


This objective will cover the concepts of threat protection with Microsoft 365 Defender. 
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that includes 
both XDR and SOAR capabilities for detection and response, though it also includes preventive 
controls. 


Describe Microsoft 365 Defender services 


Microsoft 365 (M365) Defender protects endpoints, email, identities, and cloud applications. 
Each product in the suite will be covered in the following sections. It's important to under- 
stand that each product is designed to work together to provide full threat protection across 
resource types in the environment. Microsoft 365 Defender provides the following unified 
capabilities: 
= Single pane of glass You can view all detections, assets, actions, and related informa- 
tion ina single incident queue at security. microsoft.com. 


= Combined incidents Alerts generated by each product are correlated and combined 
into a single incident and timeline analysis. This allows you to see the full attack scope 
and affected assets in one view (including additional context such as the sensitivity of 
data affected by an incident). 


= Automaticresponse Critical information is shared between the products to allow for 
real-time response to help stop the progression of an attack. For example, Defender for 
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Endpoint finds a malicious file. In this case, Defender for Endpoint can instruct Defender 
for Office 365 to scan and remove the file from all email messages. 

= Cross-product SOAR Automated investigation and response (AutolR) helps auto- 
matically investigate and remediate attacks. 


= Cross-product threat hunting SOC teams can leverage raw data from each product 
to hunt for signs of compromise and create queries that can be used for custom alerting. 


(Ñ) Exam TIP 
For the SC-900 exam, it is important to understand which products are part of the Microsoft 


365 Defender suite and what capabilities are provided. 


Describe Microsoft Defender for Identity 


Microsoft Defender for Identity—sometimes referred to as MSDI—is a cloud-based security 
solution for monitoring Windows Server Active Directory and Active Directory Federation 
Services (ADFS). It can identify, detect, and allow the investigation of advanced threats and 
compromised identities or malicious insiders. Figure 3-33 shows the Defender for Identity 
portal. Once logged in, the security analyst can review the timeline for security alerts that need 
to be investigated. Let's log in to the portal and take a look at an alert: 


1. Open a browser, visit portal.atp.azure.com, and sign in with a user who has Security 
Administrator privileges. 


2. Figure 3-33 shows the Defender for Identity Timeline page. 


a ofi :: 


FIGURE 3-33 Defender for Identity portal 
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3. After clicking an alert, the analyst can see the details for the single alert. Figure 3-34 
shows the alert view. You can see details such as the user, computer (source and destina- 
tion, if applicable), and the attack that was committed. 


FIGURE 3-34 Defender for Identity Alert 


Defender for Identity uses a sensor that can be installed on Active Directory Domain Con- 
trollers or Active Directory Federation Servers to collect data from event logs, network traffic, 
and Active Directory. As data is collected, Defender for Identity detects an attack through 
specific detections; collects and analyzes the data to create behavioral baselines for each user; 
and builds mappings of activities, permissions, and group memberships. This allows the secu- 
rity analyst to understand the attack better as it relates to the identity. The analyst can see both 
the alert and understand the identity’s patterns via a created graph showing the attack’s lateral 
movement paths across the environment. Lateral movement is a typical attack technique that 
uses credentials to pivot from one part of the network to another. 


Describe Microsoft Defender for Office 365 


Defender for Office 365 (MSDO) provides threat protection for inbound messages (email and 
other), links (URLs), and attachments for collaboration tools including Microsoft Teams, Share- 
Point Online, OneDrive for Business, and Exchange Online. MSDO includes: 


= Threat protection policies Configure policies to protect the organization 
m Reports View reporting to monitor MSDO 


= Threat investigation and response Prevent, investigate, respond, and simulate 
attacks 


= Automatic investigation and response Save time by automatically mitigating 
threats 
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MSDO Policies are configured to determine the behavior and protection level for pre- 
defined threats. Policies can be configured for fine-grained threat protection at the user, orga- 
nization, recipient, and domain level. Policies can be configured for the following areas: 

m Safe Attachments Check email messages to provide zero-day protection. All mes- 
sages and attachments that do not have a virus/malware signature are routed to a spe- 
cial sandbox that uses machine learning (ML) to detect malicious intent. If no suspicious 
activity is found, the message is delivered. 

m SafeLinks Makes a time-of-click check to ensure that the URL is safe. Malicious links 
are blocked, while safe links remain accessible. 

= Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Like 
safe attachments but scans files shared via collaboration software to protect the 
organization. 

= Anti-phishing Detects attempts to impersonate users and internal/custom domains 
and uses ML and advanced impersonation detection algorithms. 


Figure 3-35 shows the Microsoft 365 Defender portal. The figure shows that MSDO policies 
can be configured by clicking Policies & Rules in the left menu under Email & Collaboration. 


Trent policies 


Threat policies 


I3 Endpoints 


Œ Email & collaboration 


FIGURE 3-35 Defender for Office 365 policies 


Reports provide real-time insights the SOC can use to understand the current threats it's 
facing with MSDO. MSDO provides a threat explorer dashboard, a threat protection status 
report, a file types report, and a message disposition report. 

Organizations can use threat investigation and response to anticipate and understand mali- 
cious attacks. Threat trackers provide the latest intelligence from Microsoft on cybersecurity 
issues. The SOC can see the latest malware and recommendation to take action before the 
attack hits. Threat explorer provides a real-time report that the SOC can use to analyze recent 
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threats. Lastly, the SOC can use Attack Simulator to run realistic attacks on the organization to 
identify vulnerabilities. 


Recently, MSDO added automated investigation and response (AIR) capabilities. This set of 


security Playbooks can run automatically when an alert is triggered or when the SOC manually 
runs it. The prebuilt Playbooks provide the SOC team with time-saving steps to investigate and 


mitigate threats. 


Describe Microsoft Defender for Endpoint 


Microsoft Defender for Endpoint (MSDE) is designed to protect endpoints allowing enterprises 


to prevent, detect, investigate and respond to advanced threats. For the SC-900 exam, it's 
important to understand the following MSDE areas: 


Threat and vulnerability management 
Attack-surface reduction 
Next-generation protection 

Endpoint detection and response 
Automated investigation and remediation 


Management and APIs 


Threat and vulnerability management (TVM) provides the capability to discover, prioritize, 
and remediate endpoint vulnerabilities and misconfigurations. TVM uses the same MSDE sen- 
sor, so there is no need for an additional agent. It provides real-time device inventory, visibility 
into software and vulnerabilities, application runtime context, and configuration posture. TVM 
bridges the gap between security administrators and IT admins by integrating with Microsoft 
Endpoint Manager. Let's review the TVM dashboard: 


1. 


Open a browser, visit security.microsoft.com, and sign in with a user who has Security 
Administrator privileges. 


NOTE MSDEHAS MOVED 


After the Microsoft 365 Defender portal was added, MSDE moved to security. microsoft.com. 


Click Vulnerability Management in the left menu and then select Dashboard. The 
MSDE TVM Dashboard appears, as shown in Figure 3-36. 


Here, you can see an overview of threats and vulnerabilities. 


m The Exposure Score for the organization is calculated from discovered weaknesses, 
the likelihood of a breach, and the value of the device. 


m Inthe center section, you can see the top recommendations list and the top events. 
m On the right is the Microsoft Secure Score for devices. 


m Scrolling down, you can see exposure distribution by severity, remediation activities, 
top vulnerable software, and top exposed devices. 
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120 


4. 


You can dive into each of these areas for more information and better understand your 
organization's risks and vulnerabilities. 


Threat & Vulnerability Management dashboard 


Orgar Micros 
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40% 
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Device exposure distribution Top remediation activities Top vulnerable software 


Exposure distribution Remediation ac 
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FIGURE 3-36 Defender for Endpoint Threat and Vulnerability Management Dashboard 


Attack surface reduction provides the capability to enable features in operating systems to 
reduce their attack surface. 


Hardware-based isolation You can enable hardware-based isolation to ensure the 
system's integrity as it starts and while it’s running. 


Application control Application control can limit which applications are allowed to 
run to reduce the risk of rogue applications. 


Controlled folder access Controlled folder access allows only trusted apps to make 
changes to controlled folders. This can prevent attacks like ransomware from making 
changes to controlled folders and files. 


Network protection Network protection blocks outbound HTTP(S) traffic that 
attempts to connect to low-reputation sources (based on the domain name). 
Exploit protection Exploit protection provides exploit mitigation techniques to 
operating system processes and apps. 

Device control Lastly, device control allows you to protect against data loss by 
monitoring and controlling media used on devices. 


All the capabilities in ASR can significantly reduce the chances of attack if it is enabled across 
the organization's devices. 


MSDE is directly integrated with Microsoft Defender for Antivirus to provide next- 
generation protection on the endpoints. The protection provides machine learning, big data 
analysis, threat resistance research, and the Microsoft cloud to protect devices from new and 
emerging threats. Microsoft Defender for Antivirus is built into Windows 10 and Windows 
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Server 2016+. It provides real-time antivirus with always-on scanning that uses file and process 
behavior monitoring. It can also detect and block apps that are deemed unsafe but might not 
be detected as malware. It provides cloud-delivered protection, which means it can near- 
instantly detect and block emerging threats by leveraging the Microsoft cloud. 


The core component that makes MSDE so powerful for SOCs is endpoint detection and 
response. It continually collects behavioral cybertelemetry that includes process information, 
network activities, deep optics into the kernel and memory manager, user log ins, registry and 
file changes, and others. The information is stored in the cloud for six months, which allows 
analysts to view all the way back to the start of an attack. Once an attack is detected, a security 
alert is triggered. MSDE combines multiple alerts that are part of the same attack into inci- 
dents. This allows the SOC to see a full view of the attack. Let's take a look at the incident queue 
by following the steps below: 


1. Open a browser, visit security.microsoft.com, and sign in with a user who has Security 
Administrator privileges. 


2. Expand Incidents & Alerts in the left menu and select Incidents. 


3. Figure 3-37 shows the MSDE Incidents queue. Here, you can see the timeline chart of 
incidents over time, which might show a spike when there are increased attacks. Below 
the chart in Figure 3-37 is a list of open incidents. You can see a name, severity, state, 
and more detailed information in the table in various columns. The top of the list is the 
most important to investigate first. 


Incidents 


Most recent incidents and alerts 
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m Low 


FIGURE 3-37 Incidents queue 


4. Click an incident. Figure 3-38 shows the details of the incident. You can see an over- 
view of everything involved in the incident, such as a timeline of security alerts, entities 
involved, and incident information. Near the top are tabs that allow you to dive deeper 
into each area so you can further investigate and then respond to the attack. 
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FIGURE 3-38 Incident details 


Automated Investigation and Remediation (AIR) is a SOAR technology that uses various 
inspection algorithms to follow SOC-based processes to examine alerts and take immediate 
action. When a security alert is triggered, AIR automatically starts investigating the device. 
Depending on the organization's configuration, AIR can wait for approval to take action, such as 
deleting a malicious file, or it can automatically take action. In addition, AIR can recommend or 
act on one or several actions, such as stopping a service, removing a scheduled task, and so on. 
AIR reduces the workload on the SOC by automating investigation processes. Normally, an SOC 
analyst would need to take these steps and actions on the endpoints, which can be cumbersome. 


MSDE provides management capabilities to onboard devices, and it is fully integrable with 
Microsoft Endpoint Manager and Azure Defender for servers, which provides a complete, end- 
to-end experience for configuration, deployment, and monitoring. MSDE also provides role- 
based access control (RBAC), which gives you fine-grained control over which users and entities 
can access which resources. MSDE has a rich set of APIs, allowing you to automate workflows 
and integrate with other applications in the organization's environment. Figure 3-39 shows an 
overview of the MSDE APIs. 
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FIGURE 3-39 Defender for Endpoint APIs 
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Describe Microsoft Cloud App Security 


Microsoft Cloud App Security (MCAS) is a cloud-access security broker (CASB) that provides 
multiple capabilities, including XDR for SOC, governance and policy, data protection, and ses- 
sion monitoring. MCAS provides rich visibility into your cloud apps and services and control 
over data and analytics to detect threats across your cloud services. 

MCAS allows you to discover and control the use of Shadow IT. By analyzing your cloud 
traffic logs, you can discover laaS, PaaS, and SaaS services being used across the organization. 
Some of these apps might be known and controlled already, but many organizations are not 
aware of all the cloud services being consumed, which means they cannot control and pro- 
tect them. MCAS can analyze firewall and proxy logs or integrate with Microsoft Defender for 
Endpoint to see the traffic to which endpoints are connecting. Let's take a look at the Discovery 
dashboard by following the steps below: 

1. Open a browser, navigate to portal.cloudappsecurity.com, and sign in with a user who 

has Security Administrator privileges. 


2. Expand the Discovery item in the left menu and select the Cloud Discovery Dashboard. 


3. Figure 3-40 shows the MCAS Cloud Discovery dashboard. Here, you can see an 
overview of all the discovered cloud apps and services. You can see a count of apps, IPs, 
users, devices, and traffic. Also, you can see a breakdown of cloud apps by category and 
risk. Also, you can see the discovered apps and entities using those applications. 
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FIGURE 3-40 MCAS Discovery dashboard 


Once cloud apps are discovered, they can be connected to MCAS for monitoring and 
applying policies. MCAS provides connections for the following apps: 


m= Azure 


m Amazon Web Services 
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m Box 

= Dropbox 

m GitHub 

= Google Workspace 
= Google Cloud Platform 
m Office 365 

= Okta 

m Salesforce 

m ServiceNow 

m WebEx 

m Workday 


Once connected, MCAS can apply policy control over the cloud app. MCAS provides the 
following policy types: 


m Access Provides real-time monitoring and control over log-ins to your cloud apps 

= Activity Allows the monitoring and enforcement of activities in your cloud apps 

= Anomaly detection Looks for unusual activities in your cloud apps 

= Appdiscovery Alerts you when new apps are detected in the organization 

= Cloud discovery anomaly detection Looks for unusual activities in cloud discovery 
logs 

m File Scans cloud apps for files, file types, or data and applies governance actions 

= Malware Identifies malicious files in cloud storage 

= OAuth app anomaly detection Looks for unusual OAuth app activity 

= OAuthApp Creates an alert when risky OAuth apps are detected 


m Session Provides real-time monitoring and control over user activity in cloud apps 


\) EXAM TIP 


For the SC-900 exam, it is important to understand that MCAS can discover cloud apps and 
protect them with threat detection and data loss prevention. 


Skill 3-5: Security management capabilities of 
Microsoft 365 


Microsoft Defender 365 gathers the components described in Skill 3-4 in a central portal to 
allow SOCs to see the threat protection capabilities across the suite. This creates a unified 
investigation experience, which makes it easier for the SOC and security admins to monitor and 
respond. 
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Describe the Microsoft 365 Security Center 


The Microsoft 365 Security Center is the unified portal for monitoring and managing security 
across identities, data, devices, apps, and infrastructure. The organization can view security 
health, configure devices, users, and apps and get alerts on suspicious activity. Governance 
teams and posture management teams often use Security Center, and other teams use it to 
monitor and improve the organization's overall security posture. 


All the security content from the Office 365 Security and compliance center (protection. 
office.com) and Defender for Endpoint (securitycenter.microsoft.com) are now found in the 
Microsoft 365 Security Center. Alerts from Defender for Identity and Microsoft Cloud App 
Security are combined in the Security Center to create a single incident and alert queue for the 
security operations teams. Threat hunting also includes all data from MSDE, MSDO, and MDI, 
allowing SOC analysts to easily conduct hunting across disparate data sets. 


Figure 3-41 shows the dashboard when logging in to the Microsoft 365 Security Center. The 
dashboard shows the Microsoft Secure Score, users and devices at risk, device compliance, and 
other various aspects of security across the environment. 
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FIGURE 3-41 Microsoft 365 Security Center 


EXAM TIP 


For the SC-900 exam, it's important to know Microsoft 365 Security Center is the new uni- 
fied portal found at security.microsoft.com. Currently, Defender for Endpoint and Defender 
for Office 365 are fully integrated. 
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Describe how to use Microsoft Secure Score 


Microsoft Secure Score is a representation of the organization's security posture and how it can 
be improved. It provides a recommended list of actions the organization should enable or act 
on to improve security. Let's look at Microsoft Secure Score by following the steps below: 


1. Open a browser, visit security.microsoft.com, and sign in with a user who has Security 
Administrator privileges. 


2. Click Secure Score in the left menu. 


3. Figure 3-42 shows the Microsoft Secure Score dashboard. On the left is the Secure 
Score over time chart with a breakdown by category. In the middle, you can see the 
actions that need to be reviewed. Each item is a recommendation the organization 
should take action on. Finally, the pane at the right shows the Secure Score compared to 
other organizations like yours. 
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FIGURE 3-42 Microsoft Secure Score 


4. Click Improvement Actions. 


Figure 3-43 shows the list of improvement actions. Here, the organization can work 
through each action. It’s important to start with the actions that have the highest Secure 
Score impact. The Secure Score is calculated with the highest impact being the riskiest 
to the organization. 
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FIGURE 3-43 Improvement Actions 


Click one of the recommendations. 


Figure 3-44 shows a single improvement action. Here, the organization can assign an 
action plan to address the issue. It also shows the potential impact of taking this action. 


Most importantly, it shows the recommended steps to resolve the action. Organizations 


can follow these steps to mitigate this risk properly. 
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FIGURE 3-44 An improvement action 


EXAM TIP 


For the SC-900 exam, it is important to remember that organizations should resolve the 
most impactful improvement actions because they present the most risk. 
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Explore security reports and dashboards 


Microsoft 365 Security Center has a Security Reports section where security teams can track 
security across the organization as part of their day-to-day operations. The report contains 
cards that can be drilled into for detailed information. Figure 3-45 shows a Security Report. 


No detections No ASR rules are on 13 device(s) at risk 


1 active threat 


100% noncompliant No affected devices 


338.7k United States 
18.8k Russia 
4.4k India 


O suspicious admin activ... 
0 possible impersonations 
25 users to investigate 


FIGURE 3-45 Security Report 
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By default, the cards in the Security Report are grouped by categories. They can also be 
rearranged and grouped into the following areas: 


m Risk 

m Detection Trends 

= Configuration and Health 
= Other 


(2 EXAM TIP 


For the SC-900, remember that Security Reports are used to view security trends across the 
organization and track the protection of devices, identities, apps, and data. 


Describe incidents and incident management capabilities 


Incidents are a grouping of security alerts that have been correlated and represent an attack. 
The incident provides a view and context of an attack. Normally, an SOC analyst would need to 
investigate each security alert and determine that they were part of the same attack. Microsoft 
365 Defender does this for the SOC. The incident shows where the attack started, what meth- 
ods were used, and to what extent the attack has progressed in the environment. Let's look 
into an incident by following the steps below: 


1. Opena browser, visit security.microsoft.com, and sign in with a user who has Security 
Administrator privileges. 


2. Expand Incidents & Alerts and select Incidents. 


3. As you did when we looked at the Incident Queue earlier in this chapter, select an 
incident. 


4. Figure 3-46 shows the incident we looked at earlier. 
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FIGURE 3-46 An incident in Defender for Endpoint 


Skill 3-5: Security management capabilities of Microsoft 365 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


129 


5. Click Alerts. 


6. Figure 3-47 shows the Alerts tab. Here, the security analyst can see all the alerts that 
have been aggregated into the incident, even if they have occurred multiple times. Each 
alert can be clicked for detailed information. 
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FIGURE 3-47 Incident alerts 


7. Click Devices. 


Figure 3-48 shows the Devices tab. Each device involved in the alerts that make up the 
incident is shown. The security analyst can click each device to see detailed information. 
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FIGURE 3-48 Devices that are part of an incident 
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9. 


10. Figure 3-49 shows the Users tab. Each user involved in the alerts that make up the inci- 
dent are shown. The security analyst can click each user and see detailed information. 


11. 


12. 
13. 


Click Users. 
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FIGURE 3-49 Incident Users 


Like the Users and Devices tabs, a Mailbox tab is shown if any mailboxes were 
involved. 


Click Investigation. 


Figure 3-50 shows the Investigations tab. Each of the automated investigations and 
responses is shown. The analyst can click each investigation to get detailed information 
if needed. 


Inadents > Multistage incident involving Privilege escal ulupleendpaints reported by multiple sources 


@ Multi-stage incident involving Privilege escalation... |. 2 Manage incident Consulta threat emert_ [E Comments and histor 


Summary Alerts(70) Daviess (S)  Userstd)  Maiboxes(0} Investigations (3) Evidence and Response (169) 


FIGURE 3-50 Investigations tab 
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14. 
15. 


16. 


17. 


18. 


Click Evidence And Response. 


Figure 3-51 shows the Evidence And Response tab. Any evidence found from the AIR 
investigations is shown here. If Automatic Response is enabled, response actions are 
also shown. 


Incidents > Mult-stage incident involving Privilege escalation on multiple endpoints reported by multiple sources k 


© Multi-stage incident involving Privilege escalation ... 


Summaty Alaris (70) Devices (5)  Uses(d)  Maibowes (0) Investigations (3) Evidence and Response (169) 


FIGURE 3-51 Incident Evidence and Response 


Once the analyst has investigated the incident via the tabs and information available, 
they can manage the incident. Click Manage Incident. 


Figure 3-52 shows the Manage Incident pane. The analyst can rename the incident or 
add any relevant tags, change the assignment, and resolve the incident when they're 
ready. When resolving the incident, the analyst can set the Classification to True Alert 
or False Alert. If True Alert is selected, an additional prompt—Determination—is 
shown. The Determination can be APT, Malware, Security Personnel, Security Test- 
ing, Unwanted Software, or Other. Setting the Determination flags the incident as 
the type of result that was found after investigation. 


Also, the SOC can add comments if desired. 
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Manage incident 


Incident name 


Multi-stage incident involving Privilege escalation on multiple endpoints reported 


Incident tags 


@ $) Assign to me 


Assigned To: Andrea Fisher 


X 


Resolving an incident also resolves all the linked active alerts. 


(@__) Resolve incident 


Classification 


Not set MA 


Comment 


Add comment 


Cancel 


FIGURE 3-52 Manage Incident 


Q EXAM TIP 
For the SC-900 exam, it is important to remember that the Microsoft 365 Security Center 
allows the SOC to manage incidents centrally across the Microsoft 365 Defender suite. They 
can assign ownership, resolve incidents, and conduct the needed investigation to respond 
to the incident. 
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Skill 3-6: Endpoint security with Microsoft Intune 


No security strategy would be complete without addressing endpoint security. It is important 
to manage organization-owned devices and personal devices (BYOD—bring your own device). 
To ensure that you have visibility and control of both types of endpoints, you need a solution 
that offers both mobile device management (MDM) and mobile application management 
(MAM). This section covers the skills necessary to describe endpoint security with Microsoft 
Intune according to the Exam SC-900 outline. 


What is Intune? 


Microsoft Intune is a cloud-based solution for MDM and MAM that enables organizations to 
manage mobile phones, tablets, and laptops. With Microsoft Intune, you can configure policies 
to control applications for different scenarios, such as preventing emails from being sent to 
people outside your organization while allowing users to use their own devices. Intune policies 
can be leveraged to ensure that your organization's data stays protected and can be isolated 
from personal data. Intune is available as a standalone Azure service. It’s also included with 
Microsoft 365 and Microsoft 365 government and is available as Mobile Device Management 
in Microsoft 365 (though the Intune features are limited). 


Figure 3-53 shows a summary of the platforms supported by Microsoft Intune and the three 
management scenarios available. 


Mobile device Mobile application Computer 
management management management 


a Ik]: 5 
= pag eee NT 


Microsoft Intune 


FIGURE 3-53 Different platforms supported by Microsoft Intune 


TIP INTUNE FREE TRIAL 
Follow the steps at http://aka.ms/sc900_intunefreetrial to try Intune free for 30 days. 
When managing organization-owned devices, you can create policies to enable full control 


over the devices, which includes the device's settings, feature usage, and security options. In 
this scenario, devices and users of these devices will enroll in Intune. After this enrollment, rules 
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and settings are applied via policies that were configured in Intune. If you are also managing 
personal devices, you can give freedom to users who are unwilling to allow the organization to 
have full control over their personal devices. 

To address organization security policies for mobile devices and respect the users’ privacy, 
you can allow users to optionally enroll their devices. By enrolling their devices, they will also 
have access to your organization's resources based on your configured policy. For this scenario, 
you will use app protection policies that require multifactor authentication (MFA) in order for 
users to use those apps. 


Some of the advantages of having devices enrolled and managed by Intune includes the 
following capabilities: 
m Obtain an inventory of devices accessing organization resources 


= Force devices to meet security and health standards according to your organization's 
needs 


m Push certificates to devices to enable scenarios, such as accessing your organization's 
WiFi network or VPN connection 


m Visualize reports on users and devices that are compliant and not compliant 
m Delete organization data if the device is compromised or lost 


The MAM capability in Intune allows organizations to protect their data at the applica- 
tion level, which includes custom apps and store apps. MAM capability can be used on 
organization-owned devices and personal devices. When Intune is managing the apps, you will 
be able to do the following: 
m Manage mobile apps by adding and assigning apps to user groups and devices, 
including users in specific groups, devices in specific groups, and more 
= Customize apps to start or run with specific configurations enabled and update apps 
that are already on the device 


m Visualize reports on which apps are used and track their usage 


m Perform a selective wipe of data by erasing only organization data from apps without 
affecting users’ owned data 
Conditional access is another important capability available in Intune; it is integrated with 
Azure AD conditional access and is critical to implementing zero-trust security principles. This 
shows up in two forms—device-based conditional access and app-based conditional access. 


For device-based conditional access, Intune provides a device compliance policy that 
evaluates the compliance status of managed devices. This compliance status is then reported 
to Azure AD so that it can enforce the device portion of the organization's conditional access 
policy when the user tries to access organization resources. 


NOTE CONFIGURATION OF DEVICE-BASED CONDITIONAL ACCESS POLICIES 


Device-based conditional access policies for Exchange Online and other Microsoft 365 
products are configured through the Microsoft Endpoint Manager admin center. 
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App-based conditional access with Intune is available via app protection policies, which 
help protect organizations’ data on devices by enforcing Azure AD conditional access policies 
on them. It is important to mention that to use app-based conditional access, you need to have 
Enterprise Mobility + Security (EMS) or an Azure AD Premium subscription. Also, users must be 
licensed for EMS or Azure AD. 


Endpoint security with Intune and Microsoft Endpoint 
Manager admin center 


The Endpoint security policies available in Intune help you configure the security of your 
devices to mitigate potential risks. Intune provides Endpoint Security Policies that configure 
device-level security settings for a device. 


Before accessing the Microsoft Endpoint Manager admin center portal, the account that 
you are using must have certain RBAC requirements in place. Besides having an assigned 
license for Intune, the account's role must have permissions equal to the permissions provided 
by the built-in Intune role, Endpoint Security Manager. The Endpoint Security Manager 
role grants access to the Microsoft Endpoint Manager admin center. This role can be used by 
people who manage security and compliance features, including security baselines, device 
compliance, conditional access, and Microsoft Defender for Endpoint (MDE). 


To access the Microsoft Endpoint Manager admin center portal, go to https://endpoint. 
microsoft.com/ There, you will see the Endpoint Security option in the left navigation pane, as 
shown in Figure 3-54. 


Microsoft Endpoint Manager admin center 


Contoso 

Aè Home 
Dashboard 

Home Microsoft Managed Desktop 
= Allservices — 
PEA Status and alerts 
E Devices Tenant status Resource alerts 
EEE Apps 
E Pacon satus | Service health | Connedtorsiatis @ Device compliance @ Device enrollment 

ndpoint securi 
ps ki Active Healthy Healthy Allin compliance No Intune enrollment failures 
Reports 
@ Device configuration © Client apps 

& Users No configuration failures No installation failures 
Ë$ Groups 
2 Tenant administration Guided scenarios 
ÈX Troubleshooting + support Deploy Edge for mobile Deploy Windows 10 in cloud configuration 

Configure Edge for use at work and deploy it to the iOS and Android devices managed Optimize your Windows 10 devices for the cloud with a simple, secure, standardized 

by your organization. configuration fit for your needs. 

Start Start 

News and support 

Intune Customer Success blog What's happening in Intune 

Announcing Microsoft Tunnel Gateway GA and Defender for Endpoint with Tunnel What's new in Microsoft Intune 

client functionality 


Features in development 


FIGURE 3-54 Microsoft Endpoint Manager admin center portal 
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This option will allow you to configure device security settings and manage security tasks 
for devices when those devices are at risk. When you click the Endpoint Security option, you 
will see the dashboard shown in Figure 3-55. 


Home 


A Home (i) Endpoint security | Overview j 
EI) Dashboard 

= All services 

H FAVORITES 

C Devices © Overview 

Ei Apps GB All devices 


Protect and secure devices from one place 


© Endpoint security Enable, configure, and deploy Microsoft Defender for Endpoint to help prevent security breaches and gain visibility into your organization's security posture 


Reports 


Users 
å Manage S 
Ê$ Groups `a 
O Anan d 
2 Tenant administration act > 
Disk encryption w 
Ni F 
4 


% Troubleshooting + support a 
@ Firewall Vw 


® Endpoint detection and respo. 
@ Attack surface reduction Microsoft recommended security settings Simplified security policies Remediate endpoint weaknesses 
ll Rer 


Assign baselines quickly and securely using our Select an lowing categories to jump right 
recommended settings inan jour devices. 


View Security Baselines 


jate endpoint vulnerabilities reported by 
© Accoun jer for Et ini Threatand 


E Device 


© Conditional access 


View security tasks 


Microsoft Defender for Endpoint 
Setup 
© Microsoft Defender for Endpo. 


Help and support 


FIGURE 3-55 Endpoint security dashboard 


By default, the Overview option is selected, and this option allows you to perform the fol- 
lowing operations: 


= Assign security baselines Security baselines are pre-configured groups of Windows 
settings that help you apply a recommended configuration by the relevant security 
teams. 

= Configure security policies Here, you can configure policies for antivirus, disk 
encryption, firewalls, and several other areas that are available through the integration 
with MDE. 


= Remediate endpoint weakness Remediate endpoint vulnerabilities reported by 
MDE and Threat and Vulnerability Management (TVM). 


Integration with MDE 


Vulnerabilities that are discovered are actually based on MDE configurations and scan details. 
However, only issues Intune can remediate are raised as security tasks for Intune. An advantage 
of the integration between Intune and MDE is that you can review security tasks in Intune that 
identify at-risk devices and provide steps to mitigate that risk. You can then use the tasks to 
report back to MDE when those risks are successfully mitigated. 


MOREINFO VULNERABILITES IDENTIFIED BY MDE 


For more information about how to use Intune to remediate vulnerabilities identified by MDE, 
see http://aka.ms/sc900_mdeintune. 
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Conditional access 
Conditional access is available on the Endpoint Security dashboard in the left navigation pane 
(see Figure 3-55). You should use a compliance policy to establish the conditions by which 
devices and users are allowed to access your network and your organization's resources. While 
the compliance options available will depend on the platform you use, some common policy 
rules are as shown here: 

= Requiring devices run a minimum or specific OS version 

m Setting password requirements 

m Specifying a maximum allowed device threat-level, as determined by Microsoft 

Defender for Endpoint or another Mobile Threat Defense partner 

If the organization requires that devices that are in a different geolocation have a differ- 
ent type of access, you can leverage the location attribute as part of the compliance policy. 
If the device fails to comply with this policy, you can also establish actions to be taken for 
non-compliant devices. These actions are a time-ordered sequence of actions to apply to non- 
compliant devices. There are many options available to take reactive measures. Following area 
few examples: 


m Sending email or notifications to alert device users about non-compliance 
m Remotely locking devices 


= Retiring non-compliant devices and removing any company data that might be on them 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Thought experiment 


Designing Contoso’s Security Architecture 


Contoso has different departments, and each department has applications that are 
assigned an IP in a department-specific subnet. The Network/Security Team must 
allow the department to maintain the network traffic in and out of the subnet. At the 
same time, it is necessary to have a centralized network firewall to filter traffic com- 
ing from the Internet to the internal subnets. Contoso needs to allow remote workers 
to manage Windows servers that are located in a centralized subnet, and this man- 
agement access must be initialized via the Azure portal. Contoso’s Cloud Security 
Posture Management team needs to continue improving Contoso’s security posture 
and be able to measure progress over time. 
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A technical requirement established by Contoso's SOC Team is that they must have 
threat detection for storage, SQL, and Key Vault. The alerts must be streamed to a 
cloud-based SIEM solution that can also be used to investigate incidents. Another 
requirement is that Contoso must monitor the on-premises domain controllers to 
ensure that identity-related attacks can be identified. 


Also, Contoso needs an MDM and MAM solution that integrates with the EDR that the 
organization will adopt. The EDR solution must be integrated with the selected SIEM 
solution to provide a single pane of glass for alerts. With this information in mind, 
answer the following questions: 


1. What needs to be implemented on the department's subnet to allow network traffic 
to be filtered? 


What solution should be used to control inbound traffic coming from the Internet? 
How should the SOC's technical requirement for threat detection be addressed? 


. What SIEM solution should be utilized to address Contoso’s requirements? 


u e win 


What solution should be used to protect the on-premises domain controllers based 
on Contoso’s requirements? 


6. What MDM and MAM solution should be utilized to address Contoso’s 
requirements? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. 


Network security group. This is a typical scenario where you can use NSG to create 
a segmentation of the network. NSG is natively available and free. You don’t need a 
robust firewall to perform this task. 


Azure firewall. In this case, you need a centralized device to control all Internet traffic, 


which fits better for an Azure Firewall deployment. 


Defender for Storage, Defender for SQL, and Defender for Key Vault. You need to 
enable the Microsoft Defender for Cloud plan that corresponds to each workload that 
you want to protect. 

Microsoft Sentinel. Microsoft Sentinel is a cloud-based SIEM, which is a requirement for 
Contoso. 

Microsoft Defender for Identity. To monitor Domain Controllers that are on-premises, 
the Microsoft Defender for Identity provides the right set of threat detections for this 
scenario. 

Microsoft Intune. Microsoft Intune is fully integrated with Microsoft Defender for end- 
point, which is a requirement for Contoso. 
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Chapter summary 


Network security groups (NSG) in Azure allow you to filter network traffic by creating rules that 
allow or deny inbound network traffic to or outbound network traffic from different types of 
resources. 


m While the basic protection provides automatic attack mitigations against DDoS, some 
capabilities are only provided by the DDoS Standard tier. The organizational require- 
ments are what will determine which tier you will utilize. 


= Azure Firewall provides a stateful, centralized network firewall-as-a-service that 
provides network- and application-level protection across different subscriptions and 
virtual networks. 


m Azure Bastion is a PaaS service that you can deploy to allow you to connect to a virtual 
machine using your browser and the Azure portal. 


m Web Application Firewall (WAF) provides centralized protection of your web applica- 
tions from common exploits and vulnerabilities. 


m You can encrypt your Windows and Linux virtual machines’ disks using Azure Disk 
Encryption (ADE). For Windows OS, you need Windows 8 or later (for client) and 
Windows Server 2008 R2 or later (for servers). 


m Azure Key Vault allows you to store information that should not be made public, such 
as secrets, certificates, and keys. Because Key Vaults can store sensitive information, 
you naturally want to limit who has access to it rather than allowing access to the whole 
world. 


= Microsoft Defender for Cloud gives organizations complete visibility and control over 
the security of hybrid cloud workloads, including compute, network, storage, identity, 
and application workloads. By actively monitoring these workloads, Defender for Cloud 
enhances the overall security posture of the cloud deployment and reduces the expo- 
sure of resources to threats. 


m Defender for Cloud reviews your security recommendations across all workloads, 
applies advanced algorithms to determine how critical each recommendation is, and 
calculates your Secure Score based on them. 


m Cloud Workload Protection Platform (CWPP) enables organizations to assess their cloud 
workload risks and detect threats against their Server (laaS), containers, databases 
(PaaS), and storage. It also allows organizations to identify faulty configurations and 
remediate those with security best-practices configurations. 


æ Many organizations already have a SecOps team dedicated to maintaining the security 
operations and a Cloud Security Posture Management (CSPM) team responsible for 
monitoring the security posture of cloud workloads. Defender for Cloud has capabilities 
that can be leveraged by the SecOps Team and the CSPM Team. 
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Azure Security Benchmark is Azure's own security control framework, which is based 
on industry standards that enable customers to meet their security control require- 
ments in Azure. 


Typically, a SIEM is the core system or software that a Security Operations Center (SOC) 
uses to monitor, manage, and respond to security incidents. 


Security Orchestration, Automation, and Response (SOAR) allows organizations to 
interact with disparate systems and assist with security incidents, typically in an auto- 
mated fashion. 


Extended detection and response (XDR) solutions automatically collect and correlate 
data from multiple security products, thereby improving threat detection and giving 
you an incident response capability. 


Microsoft Defender to Cloud is the world’s first cloud-native SIEM and SOAR solution. 
It was built from the ground up in the cloud and allows organizations to scale with their 
SIEM and SOAR demanas. 


Microsoft 365 (M365) Defender protects endpoints, email, identities, and cloud 
applications. 


Microsoft Defender for Identity, sometimes referred to as MSDI, is a cloud-based secu- 
rity solution for monitoring on-premises domain controllers. 
Microsoft Defender for Office 365 (MSDO) provides threat protection for email, links 


(URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive 
for Business, and Exchange Online. 


Microsoft Defender for Endpoint (MSDE) is designed to protect endpoints, which allows 
enterprises to prevent, detect, investigate, and respond to advanced threats. 


Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It provides 
rich visibility into your cloud apps and services and gives you control over data and 
analytics to detect threats across your cloud services. 


Microsoft Intune is a cloud-based solution for MDM and MAM that enables 
organizations to control devices, including mobile phones, tablets, and laptops. 


The endpoint security policies available in Intune are meant to help you focus on 
the security of your devices while mitigating potential risks. Intune provides end- 
point security policies that are tightly focused and device-level security settings that 
determine the configuration of many components. 
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Describe the capabilities 
of Microsoft compliance 
solutions 


Many organizations operate in a regulated industry and must comply with one or more sets 
of legal and regulatory standards for information technology or information security. Keep- 
ing track of and reporting compliance for these standards has become increasingly complex 
over the past decade, especially with the adoption of cloud technologies. There are health- 
related regulations like the Health Insurance Portability and Accountability Act (HIPAA), rules 
related to student privacy like the Family Educational Rights and Privacy Act (FERPA), and ISO 
standards like ISO 27701, which provide guidance for the management of personal informa- 
tion. Microsoft has many compliance solutions that can assist organizations with protecting 
themselves as well as their customers and partners. 


Skills covered in this chapter: 
= Common compliance needs 
m Information protection and governance 
m Insider risk 
m eDiscovery 
m Auditing 


m Resource governance 


Skill 4-1: Common compliance needs 


While managing compliance for one or more regulations and standards is difficult, Microsoft 
has built-in tools and capabilities to help address this complexity. In this section, we will dis- 
cuss some of these tools and how they can help organizations protect their sensitive informa- 
tion, manage data governance, and respond to regulatory requests in a timely manner. This 
section covers the skills necessary to describe common compliance needs according to the 
Exam SC-900 outline. 
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Microsoft Compliance Center 


The Microsoft 365 Compliance Center is a portal that provides quick access to the data and 
tools your organization needs to manage compliance. Collecting the necessary information 

is one of the most difficult challenges organizations face. The Compliance Center provides a 
central location that gathers all the various compliance tools provided by Microsoft and helps 
you understand where to go next. 


When you log into the Compliance Center, you are presented with some introductory 
information and several cards (tiles) related to compliance management across Microsoft 365, 
as shown in Figure 4-1. 
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FIGURE 4-1 Microsoft 365 Compliance Center home page 


These cards show a visual representation of your organization's current data compliance 
posture, various solutions available to your organization, and a summary of active alerts 
related to compliance. In addition to the cards presented in the Compliance Center, the naviga- 
tion pane on the left side provides access to additional information and solutions to help 
manage compliance. The following areas are available via the navigation pane: 

m Home Returns you to the M365 Compliance Center main page. 


= Compliance Manager Allows you to check your compliance score and manage 
compliance for your organization. 


= Data Classification Provides access to trainable classifiers, sensitive information 
type entity definitions, and Content Explorer and Activity Explorer. 
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Data Connectors Allows you to configure connectors to import and archive data 
in your Microsoft 365 subscription. 


Alerts Provides access to view and resolve active alerts. 


Reports Shows reports related to label usage and retention, DLP policy matches, 
shared files, and third-party apps in use. 


Policies Allows you to establish policies to govern data and manage devices. 
Provides access to both DLP and retention policies. 


Permissions Provides options for managing who has access to the Microsoft 365 
Compliance Center to view content or complete tasks. Additional information will be 
provided later in this section related to permissions management. 


Catalog Provides information about the compliance and risk management solu- 
tions available to your organization. 


Audit Shows the audit log allowing users to investigate common support and 
compliance issues. 


Content Search Allows you to find emails in Exchange mailboxes, documents in 
SharePoint sites and OneDrive locations, and instant messaging conversations in 
Microsoft Teams and Skype for Business. 


Communication Compliance Provides options for minimizing communication 
risks by automating the capture of inappropriate messages, investigating possible 
policy violations, and taking remedial steps. 

Data Loss Prevention Allows you to create rules to detect sensitive content being 
used and shared throughout your organization, both in the cloud and on devices, 
and helps to prevent accidental data loss. 

Data Subject Requests Helps you to respond to General Data Protection Regula- 
tion (GDPR) data subject requests by finding and exporting user personal data. 
eDiscovery Provides both core and advanced eDiscovery options for preserving, 
collecting, reviewing, analyzing, and exporting content related to your organization's 
internal and external investigations. 

Information Governance Allows you to manage your content lifecycle with fea- 
tures to import, store, and classify business-critical data. 

Information Protection Provides configuration of sensitivity labels and policies to 
discover, classify, and protect sensitive and business-critical content throughout its 
lifecycle. 

Insider Risk Management Allows you to detect risky activity across your organi- 
zation to help you quickly identify, investigate, and act on insider risks and threats. 
Records Management Allows you to configure the retention schedule for regula- 
tory, legal, and business-critical records in your organization. 
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As you can see, the Compliance Center provides quick access to many different areas 
related to compliance in Microsoft 365. We will discuss several of these areas in further detail 
throughout this chapter. 


Permissions in the Microsoft 365 Compliance Center 


The Microsoft 365 Compliance Center allows you to directly manage permissions for users who 
perform compliance tasks in Microsoft 365. From the Permissions tab in the navigation pane, you 
can manage both Azure AD roles and Compliance Center—dedicated roles, as shown in Figure 4-2. 
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FIGURE 4-2 Microsoft 365 Compliance Center Permissions & Roles page 


To view the Permissions tab in the Microsoft 365 Compliance Center, users need to bea 
global administrator or need to be assigned the Role Management role. The available Azure 
AD roles were described earlier in Skill 2-4, “Describe the identity protection and governance 
capabilities of Azure AD.” This section will focus on the Compliance Center role groups. Role 
groups are role-based access control (RBAC) permission groups that contain the appropriate 
roles for accessing the various functions within the Microsoft 365 Compliance Center. The 
following role groups exist in the Compliance Center: 


= Communication Compliance Provides permission to all the communication 
compliance roles: administrator, analyst, investigator, and viewer. 

= Communication Compliance Administrators Administrators of communication 
compliance who can create and edit policies and define global settings. 

= Communication Compliance Analysts Analysts of communication compliance 
who can investigate policy matches, view message metadata, and take remediation 
actions. 

= Communication Compliance Investigators Analysts of communication compli- 
ance who can investigate policy matches, view message content, and take remedia- 
tion actions. 

= Communication Compliance Viewers Viewers of communication compliance 
who can access the available reports and widgets. 

= Compliance Administrator Members can manage settings for device manage- 
ment, data loss prevention, reports, and preservation. 


= Compliance Data Administrator Members can manage settings for device man- 
agement, data protection, data loss prevention, reports, and preservation. 
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Compliance Manager Administrators Manage template creation and 
modification. 


Compliance Manager Assessors Create assessments, implement improvement 
actions, and update the test status for improvement actions. 


Compliance Manager Contributors Create assessments and perform work to 
implement improvement actions. 


Compliance Manager Readers View all Compliance Manager content except for 
administrator functions. 


Content Explorer Content Viewer View the contents of files in Content Explorer. 


Content Explorer List Viewer View all items in Content Explorer in list 
format only. 


eDiscovery Manager Members can perform searches and place holds on mail- 
boxes, SharePoint Online sites, and OneDrive for Business locations. Members can 
also create and manage eDiscovery cases, add and remove members to a case, 
create and edit Content Searches associated with a case, and access case data in 
Advanced eDiscovery. 


Global Reader Members have read-only access to reports and alerts and can see 
all the configuration and settings. The primary difference between Global Reader 
and Security Reader is that a Global Reader can access configuration and settings. 


Insider Risk Management Use this role group to manage insider risk manage- 
ment for your organization in a single group. This role group contains all the insider 
risk management permission roles. 


Insider Risk Management Admins Use this role group to initially configure 
insider risk management. Later, use it to segregate insider risk administrators into a 
defined group. Users in this role group can create, read, update, and delete insider 
risk management policies, global settings, and role group assignments. 


Insider Risk Management Analysts Use this group to assign permissions to users 
who will act as insider risk case analysts. Users in this role group can access all insider 
risk management alerts, cases, and notices templates. They cannot access the insider 
risk Content Explorer. 


Insider Risk Management Auditors Use this group to assign permissions to users 
who will audit insider risk management activities. Users in this role group can access 
the insider risk audit log. 

Insider Risk Management Investigators Use this group to assign permissions to 
users who will act as insider risk data investigators. Users in this role group can access 
all insider risk management alerts, cases, notices templates, and the Content Explorer 
for all cases. 

IRM Contributors This role group is visible but is used by background services 
only. 
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= MailFlow Administrator Members can monitor and view mail flow insights and 
reports in the Security & Compliance Center. 


= Organization Management Members can control permissions for accessing fea- 
tures in the Security & Compliance Center and can also manage settings for device 
management, data loss prevention, reports, and preservation. 


= Quarantine Administrator Members can access all Quarantine actions. 


= Records Management Members can configure all aspects of records manage- 
ment, including retention labels and disposition reviews. 


m Reviewer Members can access review sets in Advanced eDiscovery cases. Mem- 
bers of this role group can see and open the list of cases on the eDiscovery > 
Advanced page in the Microsoft 365 Compliance Center that they are members of. 


= Security Administrator Members have access to a number of security features of 
Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 
Service Health, and Security & Compliance Center. 


m Security Operator Members can manage security alerts and view reports and 
settings of security features. 


m Security Reader Members have read-only access to a number of security features 
of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 
365 Service Health, and Security & Compliance Center. 


m Service Assurance User Members can access the Service assurance section in the 
Security & Compliance Center. 


= Supervisory Review Members can create and manage the policies that define 
which communications are subject to review in an organization. 


MOREINFO ROLE GROUPS 


To see additional information regarding the roles included in each of the role groups, see 
https://aka.ms/SC900_ComplianceRoleGroups. 


(J EXAM TIP 


Different role groups allow access to specific areas of the Microsoft 365 Compliance Center. 
Understand which role groups are required for access to these areas. 


Microsoft Compliance Manager 


Microsoft Compliance Manager is a subset of the functionality of the Microsoft 365 Compliance 
Center and can be accessed via the navigation menu in the Compliance Center. This feature 
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allows you to manage your organization's compliance requirements by providing an inven- 
tory of your data protection risks, supplying prebuilt and custom assessments that can help 
your organization comply with common industry and regional standards and regulations, and 
guiding you to improvement actions that can help increase your compliance score. Compliance 
Manager provides step-by-step guidance to assist organizations with implementing regulatory 
requirements and helps to translate complicated regulations into simple language. 


Compliance Manager is broken down into four key elements: controls, assessments, tem- 
plates, and improvement actions. When navigating to Compliance Manager, you start on the 
Overview page, as shown in Figure 4-3. 
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FIGURE 4-3 Compliance Manager Overview page 


The Overview page shows the Compliance Manager dashboard, which displays your organiza- 
tion's current compliance score, draws your attention to areas of improvement, and lists key 
improvement actions. In addition, the Compliance Center allows you to manage the workflow 
of controls and assign tasks to appropriate personnel. When first accessing the Compliance 
Manager, your compliance score is based on the Microsoft 365 data protection baseline. This 
baseline is a set of controls that includes common industry regulations and standards. 


Controls 


A control is a requirement of a regulation, standard, or policy. These controls define how you 
can assess and manage system configuration, organizational process, and responsible parties 
for meeting specific requirements. There are three types of controls that Compliance Manager 
tracks: Microsoft-managed controls, your controls, and shared controls. 
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Microsoft-managed controls are controls related to Microsoft cloud services. Microsoft 
is responsible for the implementation of these controls, though you might have to report on 
those controls to your regulators. Your controls and customer-managed controls are imple- 
mented and managed by your organization. Finally, shared controls are those that both your 
organization and Microsoft share the responsibility for implementing. 


Assessments 


Assessments are groupings of controls related to a specific regulation, standard, or policy. 
Assessments are comprised of five components: 


m In-scope services The specific set of Microsoft services applicable to the assessment. 


= Microsoft-managed controls Controls for Microsoft cloud services, which Microsoft 
implements on your behalf. 
= Yourcontrols Sometimes referred to as customer-managed controls, these are 
controls implemented and managed by your organization. 
= Shared controls These are controls that both your organization and Microsoft share 
responsibility for implementing. 
m= Assessment score Shows your progress in achieving total possible points from 
actions within the assessment that are managed by your organization and by Microsoft. 
Assessments can be assigned to custom groups that allow you to organize them in a way 
that is most logical for your organization. These groups can then be used to filter results in the 
Compliance Manager dashboard to see your compliance score related to a specific group or 
multiple groups. 


Templates 


Templates are provided within Compliance Manager to help you easily create assessments for 
specific regulations or standards your organization needs to comply with. Compliance Man- 
ager provides more than 325 prebuilt templates that can be modified and optimized to meet 
your organization's needs. You may also build custom assessments by creating a template with 
your own controls and actions. 


MORE INFO COMPLIANCE MANAGER TEMPLATES 


A full list of the available Compliance Manager templates can be found at 
https://aka.ms/SC900_CMTemplates. 


Improvement actions 


Improvement actions provide recommended guidance intended to help you align with data 
protection regulations and standards. These actions can be assigned to users within your 
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organization for both testing and implementation. Improvement actions can also be used to 
store status updates, documentation, and notes related to the activity. 


The Improvement Actions tab contains a list of actions your organization can take to 
improve its compliance score. These actions can be filtered to show actions related to specific 
regulations, solutions, groups, categories, the current test status, and who the improvement 
action has been assigned to. Figure 4-4 shows a few of the improvement actions that you 
might see on the Improvements Actions tab in Compliance Manager. 
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FIGURE 4-4 Compliance Manager Improvement Actions tab 


EXAM TIP 
Make sure you know the key elements of Compliance Manager and how they are used. 


Compliance Score 


Compliance score was mentioned several times in the previous section because it is exposed 
through Compliance Manager, and there are several tools in Compliance Manager that can 
help improve your compliance score. For the exam, you need to understand the purpose of the 
compliance score and the benefits it provides to your organization. 


The overall compliance score for your organization is displayed in the Compliance Manager 
dashboard, as shown earlier in Figure 4-3. This score is initially based on the Microsoft 365 data 
protection baseline, which is a set of controls that includes key regulations and standards for 
data protection and general data governance. In addition to the overall score that is displayed 
in the Compliance Manager dashboard, there is a detailed compliance score breakdown that 
shows your organization's compliance score for each of the compliance categories. An example 
of this is shown in Figure 4-5. 
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Compliance score breakdown 
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FIGURE 4-5 Compliance score breakdown 


Understanding compliance score 


The compliance score is calculated using points that are assigned to actions that your organi- 
zation or Microsoft can take to improve your compliance posture. Actions are grouped based 
on if they are technical or non-technical, and the impact they have on compliance score differs 
by their type. 

Technical actions are completed by interacting with the technology of a solution, such as 
changing a configuration. This type of action only grants points once, regardless of the number 
of groups the action belongs to. Non-technical actions are implemented without interact- 
ing with the technology of a solution and are categorized as documentation or operational 
actions. These actions are applied at the group level, and thus you will receive points each time 
this action is taken, even if the action exists in multiple groups. 


The scores assigned to various actions are based on whether they are mandatory or discre- 
tionary and if they are preventative, detective, or corrective actions. Mandatory and preventa- 
tive actions have the highest score value. Point values for the improvement actions are shown 
in Table 4-1. 


TABLE 4-1 Improvement actions point values 


Mandatory Discretionary 
Preventative +27 +9 
Detective +3 +1 
Corrective +3 +1 


Compliance score is weighted in this manner to encourage organizations to take actions 
that will have a high impact on their security and compliance postures. 
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EXAM TIP 

Make sure you understand how the compliance score is calculated and the number of points 
you can receive based on technical versus non-technical actions and point values for pre- 
ventative actions. (Points count only once for technical actions, but they can count multiple 
times for different groups for non-technical actions.) 


Skill 4-2: Information protection and governance 


Organizations today are faced with the proliferation of data on a scale never before seen. 
There are many regulations regarding the handling of information, and more coming out each 
year. Organizations are faced with the daunting task of bringing their data estates under con- 
trol and organizing decades worth of existing data while also handling new data that is created 
each day. Microsoft provides many tools and solutions for the protection and governance of 
this information. This section covers the skills necessary to understand the various capabilities 
of Microsoft information protection and governance according to the Exam SC-900 outline. 


Data classification capabilities 


The advent of the cloud and digital business models are generating a never-before-seen 
volume, velocity, and variety of data. Organizations need to know their data to ensure that it is 
handled in accordance with compliance regulations and standards. Microsoft has several data 
classification capabilities to help with this, including predefined sensitive information types, 
trainable classifiers, Content Explorer, and Activity Explorer, which can help organizations 
discover and label their sensitive data. 


Figure 4-6 shows the Data Classification page of the Microsoft Compliance Center. 
The Overview tab shows the following information: 


Graphics for the most used sensitive information types found in your data 
= How sensitivity and retention labels are being applied to content 
m Asummary of the most common actions being taken on labeled items 


m Sensitivity and retention labeled data by location 
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FIGURE 4-6 Data Classification page in the Microsoft Compliance Center 
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Sensitive information types can be used to identify sensitive information based on specific 
keywords, functions, or regular expressions. Microsoft 365 has many built-in sensitive infor- 
mation types that can help organizations to quickly identify sensitive data. Some examples of 
these include credit card numbers, tax ID numbers, bank account numbers, and health related 
information. You can also create custom sensitive information types to identify and classify 
data specific to your organization, such as employee ID numbers, customer account numbers, 
sensitive project codenames, or part numbers. 

Trainable classifiers are another data classification option available in the Microsoft 365 
Compliance Center. These classifiers use artificial intelligence and machine learning to intelli- 
gently classify your data based on what the item is, rather than using pattern matching to iden- 
tify elements that are within that item. There are two types of classifiers: pre-trained classifiers, 
and custom classifiers. Pre-trained classifiers are created and trained by Microsoft to identify 
five types of data: 


m Resumes Detects items that can contain sensitive personal information related to 
applicants 


= Sourcecode Written in the top 25 computer programming languages used on 
GitHub 
= Harassment Detects offensive language related to offensive conduct targeting 
individuals based on race, ethnicity, religion, national origin, gender, sexual orientation, 
age, or disability 
= Profanity Detects offensive language that contains expressions that embarrass most 
people 
= Threat Detects offensive language related to threats to commit violence or do 
physical harm or damage to a person or property 
These pre-trained classifiers will appear in the Compliance Center with a status of Ready To 
Use. Custom trainable classifiers are ones that are created by your organization and are typi- 
cally used when classifying data that is unique to your organization, such as specific contracts 
or legal documents, financial information, or customer records. Creating a custom trainable 
classifier requires you to provide 50-500 samples of data that is a positive match for the 
category. After the samples have been processed, a prediction model will be created, and you 
can then test the classifier by giving it both positive and negative samples of the data to ensure 
it is accurately matching the content. You can then provide feedback on the results verifying 
whether each prediction is correct, incorrect, or you are not sure. The classifier will use this 
feedback to improve the prediction model. 


MOREINFO CUSTOM TRAINABLE CLASSIFIERS 


More detail on creating custom trainable classifiers can be found at 
https://aka.ms/SC900_TrainableClassifiers. 
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Content Explorer and Activity Explorer 


Classifying large amounts of data can be a daunting task, and understanding all that data can 
be even more difficult. Microsoft has created the Content Explorer and Activity Explorer to 
assist organizations with visualizing large amounts of data, understanding the actions that are 
taking place on that data, and even directly accessing the content found. 


Content Explorer shows a consolidated view of data that has a sensitivity or retention label 
assigned or has been classified as a sensitive information type for your organization. To access 
Content Explorer, a user must be a member of either the Content Explorer List Viewer role or 
the Content Explorer Content Viewer role. Content Explorer allows you to quickly identify 
where sensitive data is located across multiple locations, as shown in Figure 4-7. 
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FIGURE 4-7 Content Explorer 


You can drill further down to specific locations to find documents that contain that sensitive 
information, and with the appropriate permissions, you can directly view the matched content, 
as shown in Figure 4-8. 
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r have labels applied. You drill down further by reviewing the source content that's currently stored in Exchange, SharePoint, and OneDrive. Support for more 


FIGURE 4-8 Viewing specific content using Content Explorer 


Activity Explorer supplements the functionality of Content Explorer by showing what activi- 
ties have taken place on labeled content over time. This can include when documents are read, 
the users who have accessed those documents, and when labels on documents are changed or 
downgraded (for instance, going from Highly Confidential to Public). More than 30 filters are 
available to help you identify the activities you are interested in, including the date range, type 
of activity, user, DLP policy, and sensitivity or retention labels. 
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Activity Explorer uses the Microsoft 365 audit logs to gather labeling activity information. 
Tracked label activities include both sensitivity and retention label activity from native Office 
applications, the Azure Information Protection add-in, Exchange Online (sensitivity only), 
SharePoint Online, and OneDrive. Some of the label activities that are tracked include when 
labels are applied or changed, when protection is applied or changed, and when files are 
discovered or read. 


MORE INFO LABEL ACTIVITIES 


A full list of label activities tracked by Activity Explorer can be found at 
https://aka.ms/SC900_LabelActivities. 


In addition to labeling activities, Activity Explorer also tracks DLP policy matches from 
multiple services and locations, including the following: 


m Exchange Online 

m SharePoint Online 

m OneDrive 

m Teams chat and channels 

m On-premises SharePoint folders and libraries 
= On-premises file shares 

m Windows 10 devices via Endpoint DLP 


Activity Explorer helps organizations understand the actions that users are taking on sensi- 
tive labeled content. This can help determine if the policies and controls they have put in 
place are effective and what might need to be modified or improved. 


Sensitivity labels 


Microsoft Information Protection (MIP) can help organizations discover, classify, and protect 
sensitive information wherever it lives or travels. Sensitivity labels are core to these activities 
and were discussed earlier in this chapter. Sensitivity labels enable you classify and protect your 
organization's data, while ensuring that user productivity and users’ ability to collaborate is not 
hindered. But what exactly are sensitivity labels? 


Sensitivity labels are metadata that is applied to content that can include visual content 
markings and the encryption of the data itself. This metadata, markings, and encryption are 
applied directly to the data and follow that data wherever it is stored or travels. Sensitivity 
labels are like a tag that is applied to content. Sensitivity labels are customizable, stored as 
clear text metadata within files and emails, and are persistent. 


Sensitivity labels can be customized to meet the needs of any organization and can be 
modeled after existing classification schemas. The default sensitivity labels that are 
created when you create your tenant are Personal, Public, General, Confidential, and 
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Highly Confidential. These are almost identical to the top-level sensitivity labels used by Micro- 
soft (the exception being the use of the Non-Business label rather than the Personal label). 
These labels are stored as clear text metadata within files and emails to allow DLP systems to 
use this information to take actions to prevent sensitive content from being compromised. 
Storing the labels as metadata inside files and emails allows them to be persistent and roam 
with the content regardless of where it is saved or stored (including on third-party file-sharing 
cloud services). 


Each file or email may have only a single sensitivity label applied at any given time. How- 
ever, you may have both a sensitivity label and a separate retention label applied to the same 
document. Sensitivity labels can be configured for use with files and emails, and they can be 
used with applications and services. Some of the main uses of sensitivity labels include: 


m Encryption Sensitivity labels can be used to encrypt emails and documents to pre- 
vent unauthorized parties from accessing the data. Sensitivity labels have options for 
the users and groups that have access to the document and what level of access they 
have (for instance, some groups may have full access while others may have view-only 


access). You can also allow users to assign permissions to documents on an ad-hoc basis. 


= Marking the content Sensitivity labels can be used to mark the content using Office 
applications to add headers, footers, and watermarks to emails and documents. 
(Watermarks are only available on documents.) 


= Applying labels automatically You can automatically apply labels in Office appli- 
cations as you work on individual files and services like SharePoint Online and the AIP 
scanner to apply labels in bulk. You can also set conditions to have Office apps recom- 
mend a label based on the content an email or document contains. 


= Protecting content using containers (logical locations) Sensitivity labels can be 
used to protect content using containers when using sensitivity labels with Microsoft 
Teams, Microsoft 365 Groups, and SharePoint sites. Although this configuration does 
not directly result in the content of these containers inheriting the label and associated 
protection, the labels are used by the containers to control access to the location where 
the content is stored. 


= Protecting third-part content Sensitivity labels can be used to protect content in 
third-party apps and services using Microsoft Cloud App Security. 


= Labeling assets in PowerBl and Azure Purview Azure Purview allows labels that 
have automatic and recommended conditions to apply to assets that are stored in the 
infrastructure cloud and both cloud and on-premises databases. Labels can be applied 
to PowerBl datasets and reports, which allows content exported from these locations to 
be labeled and protected. 


= Classifying content without protection settings You can apply labels to content 
without encrypting content, which still enables your organization to visually map the 
content and track its usage and location within reports in locations like the Content 
Explorer and Activity Explorer. 
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Before sensitivity labels can be used by users, applications, and services, they must first be 
assigned to a label policy. Label policies allow specific users and groups to see the labels that 
are published to each policy. Label policies allow administrators to assign a default label that 
will be applied to all documents and emails created by users of a specific policy. They can also 
require users to justify changing the label of a document to a lower ordered label (such as 
changing from Confidential to Public). Additionally, policies can make labeling of documents 
and emails mandatory for the in-scope users. This means that a user will be required to apply a 
label before saving a document or sending an email. 


Retention policies and labels 


Organizations today must manage an ever-growing data estate that can contain decades’ 
worth of stored information. Retention policies and labels can help to ensure that data is kept 
compliant with regulations. Also, retention policies and labels ensure that users are only work- 
ing with content that is current and relevant to them, and they can also reduce risk when deal- 
ing with litigation and security breaches. 


Retention settings work across many different Microsoft 365 workloads, including Share- 
Point and OneDrive sites, Exchange mailboxes and public folders, and Teams and Yammer 
chats and messages. Retention settings are applied to content using retention policies, reten- 
tion labels with label policies, or a combination of both. 


Retention policies are used to assign uniform retention settings for content at the site or 
mailbox level. A retention policy can be used to apply specific retention labels to all content 
on a specific SharePoint site. For instance, if you have a policy that requires all documents in 
a specific SharePoint site to be retained for three years, you could apply a retention policy to 
that site. Because retention policies apply to a location rather than individual files, retention 
settings will not follow content if it is moved out of that location. However, if files are moved 
or deleted, a copy of that content will be kept in secure storage within the location for the 
remainder of the retention period. 


Retention labels, on the other hand, are used to apply retention policies on an item level, 
such as on an individual folder, document, or email. This means that the retention settings will 
stay with those items regardless of where they travel. When applying a retention label, you can 
have the retention period begin when the content is labeled, or you can base it on the age or 
last modified date of the content. A default retention label can be set for SharePoint docu- 
ments, and trainable classifiers can be configured to apply retention labels to matched content. 
Retention labels also support disposition review for content before it is permanently deleted 
and can set content as a record, so an organization will always have proof of disposition when 
content is deleted at the end of its retention period. 


Retention labels can also be used to augment retention policies. For example, there could 
be a situation where you have a site with a retention policy of three years but also have content 
in that site that needs to be retained for five years. In this case, you could use retention labels 
on the specific content that needs to be retained longer and that would take precedence. 
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Records management 


Most organizations require a records-management solution to manage regulatory, legal, and 
business-critical records across their data estates. Records management in Microsoft 365 can 
assist organizations with management of their legal obligations, maintaining compliance with 
regulations, and increasing efficiency through the regular disposition of items that are no lon- 
ger required to be retained, no longer of value, or no longer required for business purposes. 


Records management in Microsoft 365 provides organizations with capabilities to: 


m Label content as a record using retention labels applied manually by users or automati- 
cally by identifying sensitive information, keywords, or content types. 


= Migrate and manage your retention requirements with file plan, which allows organiza- 
tions to bring in an existing retention plan or build a new one for enhanced manage- 
ment capabilities. 


= Configure retention and deletion settings with retention labels that can set retention 


periods and actions based on factors such as the last modified date or the creation date. 


m Start different retention periods when an event occurs using event-based retention. 

m Review and validate disposition with disposition reviews and proof of records deletion. 
m Export information about all disposed items with the export option. 

m Set specific permissions for records manager functions in your organization. 

Retention labels can be used to mark content as a record or as a regulatory record. When 
content is marked as a record, restrictions are put in place on the types of actions that are 
allowed or blocked, additional logging is generated for activities related to the item, and you 
have proof of disposition after the item is deleted at the end of the retention period. Regula- 


tory records have additional controls, such as preventing the removal of the label from the 
item and preventing the retention period from being shortened after applying the label. 


MOREINFO ALLOWED AND BLOCKED ACTIONS 


Additional information about the actions that are allowed and blocked on different types of 
records can be found at https://aka.ms/SC900_RecordActions. 


Records management in Microsoft 365 has many common uses. These include the decla- 
ration and management of records using retention labels, allowing users to manually apply 
labels that will set retention and deletion actions on documents and labels and allowing users 
to automatically set retention actions using Outlook rules. Organizations can also configure 
retention periods based on events like employee termination, contract expiration, and end-of- 
product lifecycle. 


MOREINFO RECORDS MANAGEMENT USE CASES 


Additional use cases for records management in Microsoft 365 can be found at 
https://aka.ms/SC900_RMCommonScenarios. 
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Data loss prevention 

Organizations regularly handle sensitive information, including financial data, trade secrets, 

and personal data that is entrusted to them by their users and customers. The act of reducing 

the risk of inappropriate disclosure is often referred to as data loss prevention (DLP). 
Microsoft 365 helps organizations implement data loss prevention through the use of DLP 

policies. These policies allow organizations to identify, monitor, and automatically protect 

sensitive items across the following: 


m Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive 
m Office applications such as Word, Excel, and PowerPoint 

= Windows 10 endpoints 

= Non-Microsoft cloud apps 

= On-premises file shares and on-premises SharePoint. 


DLP policies also help users better understand compliance in real time through inline noti- 
fications and policy tips. For instance, if a user enters a Social Security number or credit card 
number in a Teams chat, DLP policy can automatically block the message and notify the user 
that this was prevented by a policy. 


DLP policies allow organizations to monitor the activities that users take on sensitive items 
at rest, in transit, or in use and take protective actions. If a user attempts to take a prohibited 
action (such as storing sensitive data in unapproved locations or sharing financial information 
via email), DLP can take one of the following actions: 


= Display a policy tip that warns the user that they might be attempting to share sensitive 
content inappropriately 


= Conditionally block the sharing activity and use a policy tip to provide the user with the 
option to override the block and capture the users’ justification 


m Fully block the sharing activity with no override option 


m When dealing with data at rest, lock the sensitive content and move it to a secure 
quarantine location 
m Prevent the display of the sensitive information in Teams chat 
To get started protecting data with DLP policies, you must first configure them properly 
so they will be effective. To configure DLP policies, there are four questions which must be 
answered: 

1. What data should we monitor? Microsoft 365 includes predefined policy templates 
that can assist with identifying sensitive data, including financial, privacy-related, and 
health data. In addition, you can define a custom policy that can identify your organiza- 
tion's sensitive information types, sensitivity labels, or retention labels. 

2. Where is the data we want to monitor stored? You must define the locations that 
you would like DLP to monitor for the sensitive information. These can be any of the 
previously mentioned locations. 
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What conditions must apply for the data to be matched by the policy? Microsoft 
365 comes with predefined conditions you can use, or you can define custom conditions 
that will define a DLP policy match. Some examples of these include the identification of 
sensitive information types or sensitivity labels and when sensitive information is being 
shared externally. 


What actions will be taken when data is matched to the policy? Actions that can 
be taken depend on the location or service where the policy match has taken place. For 
instance, SharePoint, Exchange, and OneDrive allow you to block external parties from 
accessing the content, whereas when a policy match takes place on on-premises file 
shares, the matched files would be moved to a secure quarantine location. 


After you have defined the parameters for your DLP policy, you can implement it within the 
Microsoft 365 Compliance Center. You have a few options for creating DLP policies, and you 
can use a predefined template and customize it to your needs or create a custom DLP policy. 
Figure 4-9 shows the Start with a template or create a custom policy page using a template 
for identifying HIPPA data. 
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O Review your settings e 
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Canada Personal Health Act (PHIPA) - 


U.K. Access to Medical Renorts Act 


U.S, Health Insurance Act (HIPAA) 


FIGURE 4-9 DLP Policy creation page 


Endpoint data loss prevention 


Microsoft 365 DLP also allows you to monitor activities taking place on Windows 10 devices via 
endpoint data loss prevention (endpoint DLP). You can audit and optionally restrict the follow- 
ing activities using endpoint DLP: 


Upload of protected items to a cloud service or access by unallowed browsers 
Copying sensitive information from a protected item to another application 
Copying protected items to USB removable media 

Copying protected items to a network share or mapped network drive 


Printing of protected items to a local or network printer 
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= Copying protected items to a remote desktop session 

= Copying protected items to unallowed Bluetooth applications 
m Creation of items (audit only) 

m Renaming of items (audit only) 

Endpoint DLP supports the monitoring of the following file types: 
m Word files 

= PowerPoint files 

m Excel files 

m PDF files 

m csv files 

m tsv files 

m txt files 

m rtf files 

m .cfiles 

m class files 

m .cpp files 

m cs files 

m h files 

m java files 


Endpoint DLP monitors activity using the MIME type, so even if a file extension is changed, 
the activities will still be monitored. The activity recorded by Endpoint DLP is available via the 
Alerts tab in the Microsoft Compliance Center Data Loss Prevention section. 


DLP reports allow you to see the results of DLP policy matches and actions and user activi- 
ties. These results are stored in the Microsoft 365 Compliance center audit logs and are then 
forwarded to various reporting tools like the DLP Alerts Management Dashboard and the DLP 
Activity Explorer. The DLP Alerts Management Dashboard allows you to configure and review 
alerts, triage them in a central location, and track them through resolution. You can filter the 
alerts in the dashboard by Time Range, User, Alert Status, and Alert Severity. 


The DLP Activity Explorer operates like the Activity Explorer described in the previous sec- 
tion, but it has the Activity filter preset to DLPRuleMatch. This allows you to quickly see all 
DLP policy matches and further filter the activity using the standard filters. 


Skill 4-3: Insider risk 


Organizations must identify and mitigate many types of risks to protect their information. 
While most people immediately think of risks from outside sources, risks can also come from 
insiders like employees and contractors (and can be inadvertent or deliberate). Protecting your 
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organization against these risks can be both challenging to identify and difficult to mitigate. 
This section covers the skills necessary to describe the various capabilities of the Microsoft 
insider risk management solution according to the Exam SC-900 outline. 


Insider risk management 


Understanding the types of risks found in the modern workplace should be the first step 
toward managing and minimizing the risk to your organization. Insider risk management for 
Microsoft 365 is a solution that aims to minimize risks originating from internal sources by 
facilitating the detection of risky or malicious activities and allowing you to investigate and act 
upon them. Some of these risky behaviors include leakage of sensitive data and data spillage, 
confidentiality violations, intellectual property theft, fraud, insider trading, and regulatory 
compliance violations. Insider risk management is centered around the following principles: 
= Transparency Balance user privacy versus organization risk with privacy-by-design 
architecture 
= Configurable Configurable policies based on industry, geographical, and business 
groups 
m Integrated Integrated workflow across Microsoft 365 compliance solutions 
= Actionable Provides insights to enable reviewer notifications, data investigations, and 
user investigations 


EXAM TIP 


Make sure you know and understand the principles of insider risk management. 


Insider risk management uses a five-step workflow that can help organizations identify, 
investigate, and take remedial action on internal risks. Using policy templates, in-depth activity 
signaling, and alert and case management tools, organizations can use actionable insights to 
quickly identify and act on any identified at-risk behavior. The following insider risk manage- 
ment workflow can help identify and resolve compliance issues and internal risk activities: 


= Policies Insider risk management policies are created using predefined templates 
and policy conditions that define what risk indicators will be evaluated. Some of 
these conditions include the way that risk indicators are used for alerts, what users 
are included, which services are prioritized, and the effective period. There are eight 
predefined policy templates you can choose from to get started: 


m Data theft by departing users 

m General data leaks 

= Data leaks by priority users (preview) 

m Data leaks by disgruntled users (preview) 
= General security policy violations (preview) 


= Security policy violations by departing users (preview) 
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m Security policy violations by priority users (preview) 


m Security policy violations by disgruntled users (preview) 


= Alerts When risk indicators are found that match policy conditions, alerts are 


automatically generated and displayed in the Alerts dashboard in the Insider Risk 
section of the Microsoft 365 Compliance Center. This dashboard shows a prioritized 
list of alerts that need to be reviewed. The alerts are categorized by severity as High, 
Medium, or Low. 


Triage When new activities are identified that need investigation, they are assigned 
the Needs Review status. This helps reviewers quickly review and triage these alerts. 
To resolve alerts in this status, reviewers can open a new case, assign the alert to 

an existing case, or dismiss the alert. Alert filters can be used to quickly sort alerts 

by time detected, status, or severity. During the triage process, reviewers can view 
details of the identified activity, view user activity associated with the policy match, 
review the alert severity, and see additional user profile details. 


Investigate Once an alert is identified during the triage phase that requires 
additional investigation, a case is created. The Case dashboard provides a view of all 
currently active cases, open cases over time, and additional case statistics. When a 
case is selected from the dashboard, it will be opened for investigation and review. 
This is the most important step in the insider risk management workflow. Here, 
reviewers can see alert details, policy conditions matched, risk activities, and related 
user details for each case. The investigation tools available in this area include user 
activity, Content Explorer, and a section to provide case notes. 


m Action Once cases have been investigated, the final step in the workflow is to 


take action on the findings. Reviewers can resolve the case or collaborate with other 
stakeholders in the organization. If the action was unintentional, the resolution could 
be as simple as sending a reminder notice to the user or directing them to additional 
compliance training. If the situation is more serious, you might need to share infor- 
mation related to the case with other stakeholders in the organization. 


There are many common scenarios where insider risk management can help organiza- 
tions detect, investigate, and take corrective action. Some of these include the intentional or 
unintentional leak of sensitive information, security policy violations, data theft by departing 
employees, actions taken by disgruntled employees, and general offensive behavior. 


Communication compliance 


Compliance with internal policies and standards often requires both the protection of sensi- 
tive and confidential information and detecting and acting on occurrences of inappropriate 
communications. Communication compliance in Microsoft 365 can assist organizations with 
minimizing risks related to this type of activity by allowing you to detect, capture, and take 
remedial actions for inappropriate Microsoft Teams communications and email. These inap- 
propriate communications could contain profanity, threats, and harassment, or they could 
contain sensitive information that is being shared internally or externally. 
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There are several core scenarios where communication compliance policies can help organi- 
zations be successful: 


= Corporate policies Organizations must ensure that users comply with ethical stan- 
dards, acceptable use, and other corporate policies during business communications. 
Communication compliance policies can help organizations detect communications 
that do not meet these standards (such as harassment or use of offensive language) 
and take actions to mitigate them. 


m Risk management Communication compliance can also help to identify and 
mitigate potential legal exposure and other risks by scanning communications for 
unauthorized disclosure of confidential information like mergers and acquisitions or 
earnings disclosures. 


= Regulatory compliance Almost all organizations must comply with some types of 
regulatory standards as part of their everyday business. These can include regula- 
tions for the financial industry that require safeguards to be in place to protect 
against insider trading, money laundering, and bribery activities. Using communica- 
tion compliance policies, organizations can scan and report on corporate communi- 
cations to help meet these regulations. 


Microsoft communication compliance uses the following four-step workflow to help 
organizations identify and resolve compliance issues: 


m Configure Organizations must first identify compliance requirements and configure 
the applicable communication compliance policies. You can use the available policy 
templates to get started creating new compliance policies, and you can easily update 
them as regulations change. 


= Investigate Once the compliance policies are configured and start matching content, 
alerts are generated, which must be investigated. There are several tools that are avail- 
able for use in this workflow phase, including issue management, document review, user 
activity history review, and filters to help narrow down to specific communications. 


= Remediate After compliance issues have been identified, they can be resolved via one 
of the following options: 
= Resolve The Alert If the issue is remediated, you may resolve it, which will remove 
it from the Pending Alert queue. 


m Tag A Message Messages may be tagged as Compliant, Non-Compliant, or 
Questionable, which can then be used to further filter policy alerts as part of your 
review process. 

= Notify The User This can be used to provide a warning notice to users who 
might have inadvertently or accidentally violated your communication compliance 
policy. 

m Escalate To Another Reviewer Occasionally, escalation to other reviewers might 
be necessary to resolve an incident. 
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= Report As Misclassified Messages can be incorrectly identified as matches for 
compliance policies. These can be marked as misclassified and reported to Microsoft 
to help improve global classifiers and automatically resolve the issue. 


m Remove Message In Teams Inappropriate messages might be removed from dis- 
playing in the Teams channel or chat and be replaced with a policy violation notifica- 
tion message. 

= Escalate For Investigation Escalation of the case for investigation can allow 
you to transfer data and the management of the most serious cases to Advanced 
eDiscovery in Microsoft 365. 

= Monitor This workflow step spans the entire workflow process. Monitoring communi- 
cations through investigation and remediation can allow admins to review and update 
existing policies or add new ones as needed. 


Information barriers 


While Microsoft 365 excels at enabling collaboration across groups and organizations, it also 
has capabilities to restrict communication and collaboration to specific groups when needed. 
There are many scenarios where communication should be kept in silos to protect organiza- 

tional information. 


Information barriers are supported in SharePoint Online, OneDrive for Business, and Micro- 
soft Teams and are available as part of the Microsoft/Office 365 E5/A5, Advanced Compliance, 
and Insider Risk Management SKUs. Policies can be defined to allow or prevent groups of users 
in Microsoft Teams. When restricted, users will be unable to find, select, call, or chat with users 
blocked by policy. Some common scenarios where information barriers could be used are 
listed below: 


= Contractors can be prevented from communicating or sharing files with groups working 
on highly confidential projects. 


= A research team is restricted to only communicating with members of the product 
development team. 


m Students in a school district can only see contact information for other students in their 
school. 


There are many types of communications in Microsoft Teams that can be restricted using 
information barrier policies. These include the following: 


m Searching for a user 

m Adding a member to a team 

m Starting achat session with someone 
m Starting a group chat 

m Inviting someone to join a meeting 


m Sharing a screen 
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m Placing a call 
m Sharing a file with another user 
= Access to file through a sharing link 


Users included in an information barrier policy can be prevented from communicating per 
the settings in the policy. If a user is already part of a team or chat before the information bar- 
rier policy is applied, they might be removed from those chat sessions and further communica- 
tion may not be allowed. 


Privileged access management 


Providing users with permanent access to sensitive information or critical infrastructure set- 
tings in Microsoft 365 could cause organizations significant problems if those accounts are 
compromised or if there are internal threat actors. Privileged access management in Microsoft 
365 can help protect organizations from breaches and meet compliance requirements by 
requiring just-in-time access to sensitive data and critical configuration settings. 


Privileged access management provides organizations with the ability to operate with 
zero-standing access, meaning that users must request permission each time they need access 
and will only receive the level of access needed for the time necessary to complete their task. 
Zero-standing access helps to protect organizations against standing administrative access 
vulnerabilities. 


The four steps of the privileged access management process flow are described below: 


1. Configure a privileged access policy An approval policy must be configured in the 
Microsoft 365 admin center to define the specific approval requirements scoped at the 
task level. 


2. Access request Users can then request access to elevated or privileged tasks. The 
privileged access feature sends the request to Microsoft 365 for processing against the 
privileged access policy. This activity is recorded in the Security and Compliance Center 
logs. 

3. Access approval Once the request is made, an approval request is created, and 
a pending request notification is emailed to designated approvers. If the request is 
approved, the privileged access request is processed as an approval and the requester 
will be able to perform the designated task. If the request is denied, no access is granted 
to the requestor. The requestor is notified of the request approval or denial via email. 


4. Access processing |f the request is approved, the task is processed. The approval is 
checked against the privileged access policy and processed by Microsoft. All activity for 
the task is then logged in the Security and Compliance Center. 


Customer Lockbox 


Organizations often require assistance from Microsoft Support when troubleshooting issues 
that arise with various services. To diagnose these issues, Microsoft typically uses the available 
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telemetry and dedicated debugging tools in place for Microsoft services. However, engineers 
sometimes need access to organizational data to identify the root cause. Customer Lockbox is 
a safeguard that ensures that Microsoft cannot access organizational data to perform service 

operations without explicit approval from the customer. 


Customer Lockbox supports requests for data access in SharePoint Online, OneDrive for 
Business, and Exchange Online and is available as part of the Microsoft/Office 365 E5 subscrip- 
tion or the Advanced Compliance or Information Protection and Compliance add-on subscrip- 
tions. The Customer Lockbox workflow is described below. 


1. Customer request The process begins when a customer submits a support request 
and engages with Microsoft support. 


2. Microsoft support review Microsoft support then reviews the case and determines 
that access to organizational data will be required to resolve the issue. 


3. Lockbox request The support engineer logs into the Customer Lockbox request tool 
and request access to the organizational data. This request includes the tenant name, 
service request number, and the amount of time the engineer will require access to the 
data. 


4. Support manager approval This request is sent to the Microsoft support manager 
for the customer for approval. Once approved, the Customer Lockbox will send an email 
notification to the designated approver at the organization to inform them of the 
pending access request. 


5. Customer approval The approver will then sign in to the Microsoft 365 admin center 
to approve the request. This approval will generate an audit record in the audit log. If 
the customer does not approve the request within 12 hours or rejects the request, the 
engineer will not be provided access to the data. 


6. Engineer access lf the customer approves the request, the Microsoft support engi- 
neer will be notified and can log into the tenant to gather the data required during the 
designated timeframe. 


All actions performed by the engineer during the access time are logged to the unified 
audit log and may be reviewed by the customer using the audit log search tool. 


Skill 4-4: eDiscovery 


Organizations often need to identify, collect, and/or audit information for legal, regulatory, or 
business reasons. With the large amount and variety of data found in business today, it is vital 
that organizations do this in an efficient and timely manner. Microsoft 365 eDiscovery capa- 
bilities can help organizations to achieve this goal. This section of the chapter covers the skills 
necessary to describe the various capabilities of Microsoft 365 eDiscovery according to the 
Exam SC-900 outline. 
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Microsoft 365 eDiscovery 


Electronic discovery (eDiscovery), involves the identification and delivery of electronic informa- 
tion that can be used as evidence in legal cases. The eDiscovery tools in Microsoft 365 can be 
used to search for content in Exchange Online, Microsoft 365 Groups, SharePoint Online and 
OneDrive for Business sites, Microsoft Teams, Skype for Business conversations, and Yammer 
teams. There are three primary components to eDiscovery: the Content Search tool, Core 
eDiscovery, and Advanced eDiscovery. 


Mailboxes and sites can be searched in a single eDiscovery query by using the Content Search 
tool. Core eDiscovery cases can be used to identify, hold, and export content from sites and 
mailboxes. Advanced eDiscovery is part of the Office 365 E5 or Microsoft 365 E5 subscription 
(or related E5 add-on subscriptions) and gives you the ability to further manage custodians and 
analyze content. 


Content Search 


The Content Search tool available in either the Microsoft 365 or Office 365 Compliance Center 
can be used to quickly search through existing content across SharePoint sites and OneDrive 
locations, Exchange Online mailboxes, and conversations in Microsoft Teams, Skype for Busi- 
ness, and Microsoft 365 and Yammer groups. 


The first thing you must do to use Content Search is create a new search query. This consists 
of a meaningful name, the content location you would like to search, and any keywords and 
additional conditions you would like to search on. Figure 4-10 below shows a list of the search 
conditions that can be used in your search queries. 
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FIGURE 4-10 Define Your Search Conditions page in Content Search 
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You may also leave the keywords and conditions blank in the search query to return all 
content from the selected location(s). After you run a query, it returns matched content, and 
you have several options for actions you can take with that data. Below are some examples of 
actions you can take on the search results: 


= Export the results This allows you to download the matched content results to your 
computer for additional analysis. 

= Search for and delete email messages This action can allow you to delete malicious 
content like viruses and phishing messages. 

= Exporta report You also can export a summary of the content found for reporting 
purposes without exporting any actual content. 


To perform these actions, you can select a search query in the Content Search section of 
the Microsoft 365 Compliance Center and click the Actions button at the bottom of the 
Message Search pane, as shown in Figure 4-11. 
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FIGURE 4-11 Message Search 


Core eDiscovery Workflow 


Core eDiscovery in Microsoft 365 allows organizations to search and export content from 
Microsoft 365 and Office 365 services. You can also use Core eDiscovery in places like 
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SharePoint sites, OneDrive accounts, Exchange mailboxes, and Microsoft Teams to place an 
eDiscovery hold on specific items. Although Core eDiscovery is enabled by default, to use the 
functionality, a user must be a member of the eDiscovery Manager role group in the Office 365 


Security and Compliance Center. 


After appropriate permissions have been assigned, you can create new eDiscovery cases by 
going to the eDiscovery > Core page in the Microsoft 365 Compliance Center. When creating 
a new case, the only requirement is to give it a case name that is unique to your organization. 
Optionally, you can add additional case information and members to the case on the Settings 


tab in the case, as shown in Figure 4-12. 
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FIGURE 4-12 Settings tab 


After you have created a new case, you can step through the Core eDiscovery workflow, 
which consists of three steps: creating an eDiscovery hold, searching for content, and exporting 


content. 


Create an eDiscovery hold 


Core eDiscovery cases can be used to preserve content that might be relevant to a case by cre- 
ating eDiscovery holds. Holds may be placed on content in mailboxes and sites associated with 
Microsoft Teams, Office 365, and Yammer groups. When these locations are placed on hold, 
the content is preserved until you have removed or deleted the hold on the location. eDiscov- 
ery holds can take up to 24 hours before they take effect. 
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When an eDiscovery hold is created, there are two options available to scope the content 
that will be preserved in the designated locations: 


= Create An Infinite Hold When this type of hold is created, all content in the desig- 
nated location is placed on hold. A query can also be used to scope down to a smaller 
subset of data in that location. 


= Specify A Date Range This allows you to place a hold on data that is created, sent, or 
received only during the specified date range. 


Search for content in a case 


Once the Core eDiscovery case has been created and a hold has been placed on designated 
locations, you can run searches on the content that is related to the case. Searches related 

to eDiscovery cases are not listed under the search queries in the Content Search area in the 
Microsoft 365 Compliance Center. Rather, they are listed on the Searches tab for the specific 
case the searches were created for. This prevents users that are not members of a specific case 
from seeing what searches are taking place related to the case. The search queries created 
under a Core eDiscovery case are very similar to the search queries in Content Search except 
that they also have the capability to specifically target areas that are placed on hold for the 
case. 


Export content from a case 


After successfully running a search query within a case, you have the option to export the 
search results. When search results are exported from SharePoint and OneDrive for Business 
sites, copies of the documents will be exported. For mailbox content, the items will be down- 
loaded as individual messages or as PST files. In addition to the individual items, a summary 
Results.csv file is exported with information about each of the exported items, and an XML 
format manifest file is created with information about each search result. 


Additional actions 


Once you have completed a case, there are a few additional actions that can take place as part 
of the Core eDiscovery lifecycle: 


m Closeacase When the investigation or legal case that Core eDiscovery was used for 
is complete, you may close the case. After the case is closed, all related eDiscovery holds 
will be disabled, and a 30-day grace period (delay hold) is placed on the content to 
prevent it from being immediately deleted. This provides the case admin with time to 
search and restore content before it is permanently deleted. Although the case is closed, 
the case will remain on the Core eDiscovery page in the Compliance Center, and all 
details related to the case (holds, members, and searches) will be retained. 


m Reopenacase There can be instances where cases need to be reopened after they 
are closed. Because all the details are retained, this can be done easily from the Core 
eDiscovery page. When a case is reopened, the holds are not immediately reinstated 
and must be turned on manually from the Hold tab in the case. 
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m Deleteacase Both active and closed cases can be deleted. Deleting a case is different 
from simply closing the case because all details, searches, holds, and members are lost, 
and the case is removed from the list of cases on the Core eDiscovery page. 


Advanced eDiscovery workflow 


Advanced eDiscovery builds on top of the existing Microsoft Core eDiscovery capabilities by 
adding an end-to-end workflow to preserve, collect, review, analyze, and export content that 
is relevant to your organization's investigations. It also allows for close collaboration between 
legal teams and case custodians and allows them to manage the legal hold notifications. 


The Advanced eDiscovery workflow was designed to align with the Electronic Discovery Ref- 
erence Model (EDRM), which is a framework outlining standards for the recovery and discovery 
of digital data. The five steps of the Advanced eDiscovery workflow include the following: 


m Preserve The first step is to identify custodians (the person or persons who have 
administrative control over the electronic file or document relevant to the case) and to 
gather additional data sources that might be relevant to the case that are not associated 
with specific users. This data is then reindexed (advanced indexing), and a hold can be 
placed on the data to preserve relevant case information. The communication workflow 
in Advanced eDiscovery can be used to send legal hold notifications. 


= Collect Once custodians and non-custodial data sources have been added to the case, 
the built-in collections tool can be used to search and collect relevant data from these 
data sources. 


m Review Once the search has been run and you have verified that it has collected the 
data you are looking for, you can add the results to a review set. When data is added 
to a review set, a copy of the items are transferred to a secure location in Azure Stor- 
age, where it is reindexed to optimize it for analysis. You also can create a conversation 
review set that will provide conversation reconstruction capabilities to export conversa- 
tions from locations like Microsoft Teams. 


m Analyze Once the data is in the review set, you can analyze the case data and reduce 
it to what is most relevant to the case. There are several tools that can be used, including 
viewing documents, using queries and filters (including metadata properties), applying 
tags to the items, annotating and redacting specific information, and using the analytics 
functionality of Advanced eDiscovery. 

= Export The final step is to export the data fromAdvanced eDiscovery for review by 
people outside of the investigation team. This is a two-step process. First, you must 
export the data from the review set and copy it to a different Azure Storage location. 
You must then download the data using Azure Storage Explorer. This will contain the 
exported data files and also an export report, summary report, and error report. 
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Skill 4-5: Auditing 


The Microsoft 365 Compliance Center has auditing that can allow organizations to view user 
and administrator activity via a unified audit log. This audit log allows compliance adminis- 
trators and auditors to identify changes that have taken place throughout the Microsoft 365 
ecosystem. This can include locations like the core Microsoft 365 services, such as SharePoint 
Online, Exchange Online, OneDrive, and Teams but also extends to additional applications and 
services like Azure Active Directory, Microsoft Power Apps, PowerBl, Dynamics 365, and others. 


MOREINFO UNIFIED AUDIT LOG LOCATIONS AND ACTIVITIES 


A full list of locations and activities that can be monitored via the unified audit log can be 
found at https://aka.ms/SC900_AuditActivities. 


There are two types of auditing available in Microsoft 365 depending on the license 
assigned to specific users: basic auditing and advanced auditing capabilities. This section cov- 
ers the skills necessary to describe Microsoft 365 auditing capabilities according to the Exam 
SC-900 outline. 


Microsoft 365 audit capabilities 


Microsoft 365 allows organizations to monitor activities performed by users and administra- 
tors via the unified audit log. In most Microsoft 365 and Office 365 organizations, a basic audit 
is enabled by default. When an audited activity is performed, an audit record is generated 

and stored in the unified audit log. With a basic audit, these records are retained and can be 
searched for up to 90 days. 


There are two roles that can be assigned to allows users to access and search the audit log: 
View-Only Audit Logs and Audit Logs. These permissions can be controlled. Once the role 
has been assigned to a user, they can search the unified audit log. There are four criteria that 
can be used to filter search results (see Figure 4-13). 


$ 4 Contoso Electronics Microsoft 365 compliance 


Q Permissions 
3 Audit @ Learn about audit x8 Remove from navigation 
Solutions 
1 
Ut Catalog Search Audit retention policies 
|B Audit 
Date and time range * Activities File, folder, or site © 
Æ Content search = 
Start | Sat Jun 1... EÑ | | 00:00 {v | | Show results for all activities v | Add all or part of a file name. folder n... 
[3 Communication compliance 
Users 
[8 Data loss prevention End | satJun2.. 6 || 00:00 {v | Search | 
O Data subject requests 
Ñ eDiscovery v 


FIGURE 4-13 Content Explorer in the Microsoft Compliance Center 
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= Date And Time Range Allows you to narrow the scope of the search to a specific 


timeframe, shown in your local time. By default, the search will show the last seven days 


of audited activity. 


= Activities Allows you define specific audited activities you would like to include 
in the search. Leaving this blank will return all audited activities during the specified 
timeframe. 


m File, Folder, Or Site Allows you to provide a specific keyword to narrow the search. As 


with Activities, this can be left blank to return all audited locations. 


m Users Gives you the option to narrow your search results by selecting specific users. 


This search box will perform Azure AD lookup as you type to help quickly select the 
users or service accounts you are interested in finding. 


Initially, the search results will show up to 150 items, but this will dynamically increase as you 
scroll through them. You can use the Export button as shown in Figure 4-14 to export a CSV of 


all search results. 


Audit > Audit search 


Saturday, Jun 19, 2021 12:00:00 AM to Saturday, Jun 26, 2021 12:00:00 AM 


LY Export V 150 items 
Download:all results IP Address User Activity 
Jun 25, 2021 10:42 PM 2603:10b6:405:4b:cafe::8d MeganB@ OnMicrosoft.... Accessed mailbox items 
Jun 25, 2021 10:37 PM 2603:10b6:408:7¢::20 MeganB@ OnMicrosoft.... Accessed mailbox items 


FIGURE 4-14 Audit log search results export to CSV 


The audit log search returns the following information for each audit entry: 
m Date Date the event was recorded shown in your local time. 


m IP Address |P Address in either IPv4 or IPv6 format from the device used when the 
activity was recorded. 


m User User (or service account) who performed the action that triggered the audit 
entry. 


= Actvity Activity that was performed. 


m item Item that was created or modified based on the activity. (Not all activities will 
contain values in this column.) 


= Detail Details related to the activity. (Not all activities will contain values in this 
column.) 


In addition to this basic information, you can click each individual entry in the audit log 
search results to see the Detail pane, as shown in Figure 4-15. 
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Detail 
Date 
2021-06-25 22:42:17 


IP Address 


2603 28d 

Users 

MeganB@ OnMicrosoft.com 
Activity 


Accessed mailbox items 


Item 


Detail ® 
Mail Items Accessed 

Id al 
"388a4941-2e12-. -d50f901392c3" 

Logon Type 


FIGURE 4-15 Audit log search results additional details pane 


Advanced Audit 


While basic auditing in Microsoft 365 is an amazing tool for monitoring and compliance, there 
are additional capabilities available via Advanced Audit in Microsoft 365. Advanced Audit 
expands on the capabilities of basic auditing by increasing audit log retention to facilitate 

the longer timeframes needed to conduct forensic and compliance investigations, providing 
access to additional events that could prove crucial for determining the scope of a compromise 
and allowing direct, high-bandwidth access to the Office 365 Management Activity API. 


Advanced Audit is available to organizations with a Microsoft 365 Enterprise or Office 365 
E5/A5/G5 subscription. Organizations with Microsoft 365/Office 365 E3 licenses can also use 
Advanced Audit capabilities with either a Microsoft 365 E5 Compliance or Microsoft 365 E5 
eDiscovery and Audit add-on license. 


Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records 
for a full year. Audit records can be maintained for as long as 10 years with an additional add- 
on license. Retaining these logs for 10 years can help support long-running investigations and 
respond to regulatory, legal, and internal obligations. The default audit log retention policy 
retains the workloads mentioned above for one year and all other services for 90 days. Option- 
ally, you can create custom audit log retention policies to retain other types of audit records 
for periods of up to 10 years. These policies can be configured to target specific Microsoft 365 
services where audited activities occur, for specified audit activities, or for specific users who 
perform audited activities. 


Access to crucial events for investigations 


Advanced Audit can also help organizations conduct forensic and compliance investigations 
by providing advanced details like when mail items were accessed, the time and content of 
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searches conducted in SharePoint Online and Exchange Online, and when mail items were for- 
warded or replied to. These items can assist with investigations of potential breaches and can 
help with the evaluation of the scope of a compromise. Specifically, Advanced Audit provides 
access to the following crucial events: 


= MailltemsAccessed This event is a mailbox audit action that is triggered when mail 
data is accessed by mail protocols or mail clients. This event can help investigators to 
identify when there has been a data breach and determine the scope of messages that 
might have been compromised. 


m Send The Send event is another mailbox audit event that is triggered when a user 
sends, replies to, or forwards an email message. This event can help investigators iden- 
tify details around email messages sent by an attacker or from a compromised account. 
These events contain details including when the message was sent, if it included any 
attachments, the subject line, and the InternetMessagelD. Investigators can use the sub- 
ject line or Message ID from this event to find where the message was sent and identify 
other potentially compromised accounts using eDiscovery tools. 


= SearchQuerylnitiatedExchange This event is triggered when a user searches for 
items in a mailbox using an Outlook desktop or mobile client, such Outlook on the web 
(OWA) or the Windows 10 Mail app. This can be used by investigators to determine if 
an attacker attempted to access sensitive information in a compromised mailbox. This 
event contains the full text of the search query and can help investigators get a better 
idea of what information an attacker might be targeting. 


= SearchQuerylnitiatedSharePoint This event is similar to the previous one but is 
triggered when a search takes place on a SharePoint site. This event can help investiga- 
tors to determine what an attacker was searching for and potentially identify sensitive 
information in SharePoint that the attacker accessed. This event also contains the full 
text of the search query and can be helpful to understand what information is being 
targeted by the attacker. 


In addition to access to crucial events, Advanced Audit also gives organizations high- 
bandwidth access to the Office 365 management API. In the past, API access to audit logs 
was restricted by throttling limits placed at the publisher level. With the release of Advanced 
Audit, Microsoft has changed from a publisher-level limit to a tenant-level limit, which pro- 
vides each organization with its own allocated bandwidth quota for accessing audit data. This 
quota scales with the number of licenses an organization purchases and the type of license. 
Organizations with E5 licenses will receive about twice the amount of bandwidth as non-E5 
organizations. 


Skill 4-6: Resource governance 


Organizations today need to ensure that all of their Azure resources are properly governed and 
that they are secure. Azure has many capabilities that can assist organizations with resource 
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governance. This section covers the skills necessary to describe Microsoft resource governance 
capabilities according to the Exam SC-900 outline. 


Azure resource locks 


Azure resource locks provide organizations with the capability to lock a resource, resource 
group, or subscription to prevent users from accidentally deleting or modifying critical 
resources. These management locks are applied globally to all users and roles and will override 
any permissions the user might have. There are two lock levels that are available to resource 
administrators: 


= CanNotDelete This lock level (called Delete in the portal) gives users the ability to 
modify resources but restricts their ability to delete the resource. 


= ReadOnly This lock level (called Read-only in the portal) gives users the right to read 
the resource but will not allow any modification or deletion of the resource. This is the 
equivalent of restricting all users to the Reader role for the resource. 


It is also important to understand lock inheritance for Azure resource locks. When a lock 
is applied at a parent scope, resources within that scope will inherit the same lock. When new 
resources are added to the scope, they will also inherit the lock from the parent. Because 
of this, resources can have both a CanNotDelete lock (parent-level) and a ReadOnly lock 
(resource-level). In this event, the most restrictive lock in the inheritance takes precedence 
(in this case, the ReadOnly lock at the resource level). 


Resource locks only affect operations on the management plane. This means that locks will 
not affect how resources complete their functions. So, although the resource might not be able 
to be modified once the lock is in place, the resource can continue with its normal operations. 


Azure Blueprints 


Azure Blueprints are a way to define a repeatable set of Azure resources that adheres to an 
organization's standards, patterns, and requirements. This is similar to the blueprint that an 
engineer or architect would use to sketch a project's design parameters but is focused on 
helping development teams working in Azure. This can help development teams automate 
the creation of new application environments with confidence, knowing that what they are 
building will meet organizational policy or external compliance standards. This allows teams to 
build resources across multiple subscriptions simultaneously and allows them to have shorter 
development lifecycles and rapid delivery. 


Azure Blueprints are a declarative way to orchestrate the deployment of various resource 
templates and other artifacts such as 


m Role Assignments 
m Policy Assignments 
m Azure Resource Manager templates (ARM templates) 


m Resource Groups 
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The Azure Blueprints service is backed by Azure Cosmos DB and is replicated to multiple 
Azure regions. This helps to provide high-availability, low-latency, and consistent access to 
the blueprint objects no matter what region you are deploying to. With Azure Blueprints, the 
relationship between the blueprint definition (what should be deployed) and the blueprint 
assignment (what was deployed) is preserved. This connection supports improved tracking and 
auditing of deployments. 


Azure Blueprints provides a way for organizations to ensure that Azure resources are 
deployed in an efficient manner while meeting compliance requirements. 


Azure Policy 


Azure Policy was developed to enforce organizational standards and assess overall compliance. 


The Azure Policy compliance dashboard provides a bird's-eye view of the state of an organiza- 
tion’s environment with the ability to drill down to per-resource or per-policy granularity. You 
can also use bulk remediation to bring resources to compliance at scale and apply policy to 
new resources automatically. 


Azure Policy has many common use cases, including implementing governance for regula- 
tory compliance, security, cost, resource consistency, and management purposes. Azure Policy 
comes with built-in definitions for these use cases. Azure Policy uses these definitions to evalu- 
ate whether the properties of resources align with business rules. 

Policy definitions are business rules that are expressed using JSON format. These definitions 
can be grouped together as a set to form policy initiatives. You can assign these policy defini- 
tions or initiatives to any scope of resources that are supported, including individual resources, 
resource groups, subscriptions, and even entire management groups. 

Resources are evaluated regularly to ensure they are compliant with the assigned policy 
definition or initiative. There are specific times or events that will cause a resource to be 
evaluated: 

= Resource modification When a resource is created, modified, or updated in a scope 
with a policy assignment 


= Policy or Initiative assigned When a policy or initiative is assigned to a scope 


= Policy or Initiative updated When a policy or initiative assigned to a scope is 
updated 


= Compliance evaluation cycle Every 24 hours during the standard compliance evalu- 
ation cycle 


Organizations have several options when handling non-compliance with business rules. 
Below are some examples of actions an organization can take in response to a non-compliant 
resource: 


m Deny a change ona resource 
m Log changes to the resource 


= Alter the resource after the change has taken place 
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m Alter the resource before the change takes place 
= Deploy related compliant resources 


Azure Policy and Azure role-based access control (RBAC) both serve purposes in protect- 
ing resources, but they are different with regard to how they implement the protections. While 
Azure RBAC focuses on preventing users from making improper modifications by managing 
the permissions they have over the resources, Azure Policy focuses on maintaining a resource 
state that is compliant with organizational policies, regardless of who makes the changes. If 
user actions are what you are looking to control, then Azure RBAC is the right tool to accom- 
plish this. Azure Policy, on the other hand, will block an action if it results in a non-compliant 
state, even if the user has the appropriate permissions to perform the action. 


Cloud Adoption Framework 


Microsoft's Cloud Adoption Framework for Azure is a collection of documentation, best prac- 

tices, technical guidance, and tools that can help organizations align business goals, readiness, 
and technology strategies. This alignment enables a clear and actionable journey to the cloud 

that rapidly delivers on the desired business outcomes. 


The Cloud Adoption Framework helps organizations move to the cloud using a proven 
and consistent methodology for adopting cloud technologies. There are six main modules 
(methodologies) that align to the different phases of the Cloud Adoption Framework: 


m Define strategy 
m Plan 

m Ready 

m Adopt 

m Govern 


m Manage 


Define strategy 


When defining a cloud adoption strategy, organizations must evaluate their motivations for 
moving to the cloud, establish clear business outcomes, and define the business justification 
for their journeys. 


Organizations often have different motivations for moving to the cloud. Some organiza- 
tions are motivated by moving away from costly on premises applications, while others may be 
interested in the new capabilities and products available. Some common motivators include: 


m Improving scalability of services across different geographies 
m Reduction of technical complexity 

m Cost savings 

m Increases in business agility 


m Optimization of internal operations 
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All these are valid reasons to start looking at the cloud. When developing a strategy for 
moving to the cloud, the key areas that organizations should focus on are establishing clear 
business outcomes that will drive engagement for their cloud journey and defining the 
business opportunities that justify the effort, so they can identify the correct technologies they 
will use. 


A good way for organizations to start their cloud adoption journey is to select some initial 
applications that they would like to migrate and use those to test the migration. You can start 
with production applications where the business owner has a strong motivation to migrate 
to the cloud or with applications with a small number of dependencies that can be migrated 
swiftly. You will come across many applications in both of these categories, so understanding 
how you will handle each type will help determine the best strategy for migrating to the cloud. 


Plan 


As your organization embarks upon your cloud adoption journey, proper planning is integral 
to your success. You must first understand where your organization is with your technical 
investments and then develop a prioritized action plan for your migration to the cloud. The 
main actions you must do for this section are to rationalize your digital estate and create a 
cloud adoption plan. 


To start with rationalizing your digital estate, you must take inventory of all of your existing 
digital assets and determine whether to migrate or modernize those assets for the cloud. This is 
usually accomplished by looking at the five Rs: 


= Rehost This is often known as a /ift-and-shift operation, where applications are moved 
in their current state directly to the cloud hosting provider, making minimal changes to 
the underlying architecture. 


m Refactor This is the process of rebuilding code for applications so they will be more 
efficient running on the new cloud platform, which will reduce resource consumption 
and cost while often improving the speed of the applications. 


m Rearchitect This is done when legacy applications cannot be directly moved to the 
cloud or easily refactored. These applications will require rearchitecting to help product 
cost and operational efficiencies in the cloud. 


m Rebuild This is done when out-of-support or misaligned on-premises applications 
cannot be moved to the cloud or when the cost would not be viable. For these, creating 
a new code base with a cloud-native design might prove to be a better solution. 


m Replace Sometimes, there are better alternatives to on-premises applications that 
already exist in the cloud. In this case, replacing the application with one of these appli- 
cations could prove advantageous to the organization. 


After you have rationalized the best way to handle your various digital assets during your 
migration to the cloud, you are ready to start creating your cloud adoption plan. The key steps 
for building this plan are as follows: 


m Review sample business outcomes 
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m Identify the metrics that will best show the progress toward the identified business 
outcomes 


= Establish a financial model that aligns with these outcomes 


Ready 


After you have taken inventory of your digital estate and developed a plan to move to the 
cloud, you must ready your organization for the move to the cloud. This methodology focuses 
on two main areas: 


= The first is to define skills and a support readiness plan help your organization to 
address current gaps, ensure that both IT and business personnel are prepared for 
changing to the new technologies, and defining future support needs based on the new 
cloud-based architecture. 


m The second is to create your landing zone or to set up a migration target in the cloud to 
handle prioritized applications. 


A landing zone is an environment such as Microsoft Azure that is prepared to host work- 
loads in the cloud. A fully functioning landing zone is the final deliverable of any iteration of 
the Cloud Adoption Framework for Azure methodology. 


Adopt 


At this point, you have defined your business and technology objectives and prepared the 
environment to move your applications to the cloud, your landing zone has been established, 
and you are ready for your organization to begin adopting could technologies. As mentioned 
earlier, your organization has unique motivations to move to the cloud. These come down to 
either cloud migration activities or cloud innovation activities. 


= Cloud migration Cloud migration involves moving digital assets from an on-premises 
location to a cloud platform. Once an application becomes available in the cloud, users 
must be transitioned from the existing application to the new one in the cloud. How you 
migrate applications to the cloud depends largely on the migration timeline, business 
motivations, and technology strategies. 

= Cloudinnovation Cloud innovation refers to using cloud-native benefits to modern- 
ize older applications that can take advantage of them. Modern DevOps and software 
development lifecycle (SDLC) approaches that use cloud technology shorten the time 
from idea to product transformation. These tools help organizaitons to create shorter 
feedback loops and better customer experiences. 


Govern and Manage 


Cloud migration is not a destination but rather a journey. The end goal is often unknown when 
you are just starting out on this journey. Only through constant iteration as you move appli- 
cations and workloads to the cloud will the final result begin to take shape. It is important to 
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define governance solutions for your cloud environment that will help controls risks, provide 
agility, and above all else, meet your business needs. Along with this, you must also manage 
the cloud environment based on those governance solutions in a way that will foster growth, 
evolve over time, and adapt to your organization's ever changing business needs. 


Cloud governance establishes guidelines to keep your organization safe throughout your 
journey to the cloud. The Cloud Adoption Framework for Azure outlines a governance model 
that identifies key areas of importance that are related to different risks that an organization 
must address during the move to the cloud. Because governance needs will evolve over time as 
you move to the cloud, your organization's governance model must be flexible, and you must 
move rapidly to keep pace with business demands and maintain relevance throughout your 
cloud journey. 


Incremental governance relies on a small set of corporate policies, processes, and tools to 
establish a foundation for adoption and governance. This foundation is referred to as the mini- 
mum viable product (MVP) and allows your governance team to incorporate governance into 
deployments throughout the adoption lifecycle. Once the MVP has ben established, additional 
layers of governance can be added to the environment. 


The manage methodology aims to maximize return on investiment by balancing stability 
and operational costs. Business operations must be stable to maintain revenue streams, but 
operational costs must be minimized to reduce overhead and increase profit from business 
processes. Cloud operations create a maturity model that help the team fulfill commitments to 
the business. Early on in an organization's cloud journey, the focus is on inventory, visibility into 
cloud assets, and performance. However, as cloud operations mature, they can shift to cloud 
native or hybrid approaches and to maintaining and improving operational compliance. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Thought experiment 


Protecting Contoso’s Intellectual Property 


You are a compliance admin working for Contoso Electronics, a multi-national corpora- 
tion that provides specialized electronic components for large computer manufactur- 
ers. You have recently migrated many of your on-premises services and workloads to 
the cloud, and users have been fully onboarded to Exchange Online, SharePoint Online, 
OneDrive, and Microsoft Teams. This has greatly increased your productivity, though it 
has brought in new risks as well. 
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After migrating to the cloud, Contoso had a cybersecurity incident where several 
development team accounts were compromised through malware that was shared 

over Teams by an contractor account. To make matters worse, one of the compro- 
mised accounts was an Exchange administrator in a previous role whose access had not 
been removed. You have been asked by your CISO to determine the scope of sensitive 
information that might have been accessed and to determine additional safeguards that 
should be put in place to mitigate this type of attack in the future. Contoso has recently 
purchased a Microsoft 365 E5 subscription to ensure that they can put the best protec- 
tions in place for their sensitive data. 


With this information in mind, answer the following questions: 


1. What can be used to determine what sensitive information the attacker might have 
been trying to find when they accessed the compromised accounts? 


2. How can you ensure that contractors are not able to share files or contact members 
of critical development team members? 


3. What safeguards can you use to ensure that standing administrative privileges are 
minimized within the organization? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. Using Advanced Audit capabilities, you can review the SearchQueryInitiatedExchange 
audit events for the compromised account to help determine the type of sensitive data 
the attacker was after. 


2. Information barriers can be used to prevent members of the contractor group from 
contacting the development team users or sharing files over Microsoft Teams. 


3. Privileged access management can be used to remove standing administrative access, 
which will reduce the risk of administrative accounts being compromised. 


Chapter summary 


= Compliance Manager provides step-by-step guidance to assist organizations with 
implementing regulatory requirements and helps to translate complicated regulations 
into simple language. 


m The four key elements of Compliance Manager are controls, assessments, templates, 
and improvement actions. 
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Compliance score is initially based on the Microsoft 365 data protection baseline. 


Scores assigned to various actions affect the compliance score based on whether they 
are mandatory or discretionary and if they are preventative, detective, or corrective 
actions. Actions that are mandatory and preventative have the highest score value. 


Sensitive information types can be used to identify sensitive information based on 
specific keywords, functions, or regular expressions. 


Creating a custom trainable classifier requires you to provide 50-500 samples of data 
that is a positive match for the category. After the samples have been processed, a 
prediction model will be created, and you can then test the classifier. 


Content Explorer shows a consolidated view of data that has a sensitivity or reten- 
tion label assigned or that has been classified as a sensitive information type for your 
organization. 


Activity Explorer supplements the functionality of Content Explorer by showing what 
activities have taken place on labeled content over time. 


Activity Explorer uses the Microsoft 365 audit logs to gather labeling activity 
information. 


Sensitivity labels are metadata that is applied to content that can optionally include 
visual content markings and encryption of the data itself. 


Sensitivity labels are like stamps that are applied to content and are customizable, 
stored as clear-text metadata within files and emails, and persistent. 


Retention settings work across SharePoint and OneDrive sites, Exchange mailboxes 

and public folders, and Teams and Yammer chats and messages. Retention settings 

are applied to content using retention policies, retention labels with label policies, ora 
combination of both. 

When content is marked as a record, restrictions are put in place on the types of actions 
that are allowed or blocked. Also, additional logging is generated for activities related 
to the item, and you have proof of disposition after the item is deleted at the end of the 
retention period. 

Regulatory records have additional controls, such as preventing the removal of the label 
from the item and preventing the retention period from being shortened after applying 
the label. 

Insider risk management is centered on the following principles: transparency, configu- 
rable policies, integrated workflow, and actionable insights. 

Insider risk management policies are created using predefined templates and policy 
conditions that define what risk indicators will be evaluated. 

Information barriers are used to control communications via SharePoint Online, 
OneDrive for Business, and Microsoft Teams. 
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Privileged access management provides organizations with the ability to operate with 
zero-standing access, meaning that users must request permission each time they need 
access and will only receive the level of access needed for the time necessary to com- 
plete their tasks. 


Customer Lockbox is a safeguard that ensures that Microsoft cannot access organiza- 
tional data to perform service operations without explicit approval from the customer. 


The Core eDiscovery workflow consists of three steps: creating an eDiscovery hold, 
searching for content, and exporting content. 


Advanced eDiscovery builds on top of the existing Microsoft Core eDiscovery capabili- 
ties by adding an end-to-end workflow to preserve, collect, review, analyze, and export 
content. 


Advanced Audit increases audit log retention (up to 10 years), provides access to addi- 
tional events and allows high-bandwidth access to the Office 365 Management Activity 
API. 

Azure resource locks provide organizations with the ability to lock a resource, resource 
group, or subscription to prevent users from accidentally deleting or modifying critical 
resources. 

Azure Blueprints are a way to define a repeatable set of Azure resources that adheres to 
an organization's standards, patterns, and requirements. 

Azure Policy was developed to enforce organizational standards and assess overall 
compliance. 

The Cloud Adoption Framework for Azure is a collection of documentation, best prac- 
tices, technical guidance, and tools that can help organizations align business goals, 
readiness, and technology strategies. 


The six methodologies that align to the different phases of the Cloud Adoption 
Framework are: define strategy, plan, ready, adopt, govern, and manage. 
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